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‘MicroWay 


PROGRAMMING TOOLS 


Australia’s 
Major Distributor 
of Programming 
Tools! 


MicroWay is Australia’s 
largest distributor of 
development products. With 
over 3,000 products and 
over 20,000 customers 
throughout Australia we've been 
helping Australian 
developers for over 16 years. 


Tits MONTH'S 
oP eciAL OFFER 


poe elp 
je el orise 


TAKES THE GUESSWORK OUT 

OF DEVELOPING APPLICATIONS 
Introducing RoboHelp Enterprise*, the intelligent 
Software that uncovers how people are using your 
help systems and applications. lts new help 
technology provides development teams direct 
feedback about end users questions and problems. 
RoboHelp Enterprise increases the efficiency of 
development teams at organisations of any size, and 
simultaneously reduces the high cost of support with 
features such as: 


* Feedback reports give you data on what 
users are asking 


¢ Superior Natural Language Search 


¢ Supports Team development with Fast 
Project Merging 


RoboHelp 9 Customers can 


save up to $300 


on purchases of RHE and RIE. 
Plus, get Gamani GIF Movie Gear 
Software FREE!! 


*Currently supports English only 
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(expires August 31, 2001) 
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Visual SlickEdit 


The award-winning editor from 
MicroEdge, Inc. increases 
development productivity and 
improves software quality. It 
supports most languages out of 
the box and is extendable to support your favourite 
language as well. Powerful features include: 
Context Tagging, DIFFzilla, FTP Support, a Class 
Browser and a Code Beautifier! With a multi- 
platform presence and integration with industry 
leading development environments, Visual 
SlickEdit provides an entire organisation with a 


$640 standard coding environment. 


Crystal Reports 
Developer 8.5 


With Crystal Reports you can 
easily deliver rich, interactive 
content from virtually any data 
NEW \ / peels it to the Web, 
grate it within your 
applications. Includes flexible 
developer tools for web and 
Windows developers, a royalty-free runtime 
license, comprehensive support for development 
languages and the ability for your users to design 


$925 reports from within your 
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applications. 


CodeWright 


CodeWright, the Programmer's 
Editing System, provides a 
complete toolkit with the ability to 
adapt to new technologies and 
languages. CodeWright 
standardises development 
VERSION! <~ environments and alleviates the 
ee need for developers to continually 
learn the idiosyncrasies of a variety of development 
GUls. CodeWright 6.6 features such as Advanced 
StarTeam Integration; enhanced CodeSense for C#, 
Java, C and C++; Directory Differencing and Side- 


by-Side Difference Printing; and 
$645 code beautification and tag 
FEATURED PRODUCT 


matching support for HTML/XML. 


jProbe 3.0 


JProbe 3.0 takes problem 


RAP wNe 


ae detection for Java apps to a new 
1 “22° level. As more and more 
a=, +42 developers move to rapid 


application development, support 
for multiple iterations is becoming paramount. 
JProbe offers performance snapshot differencing, 
the ability to compare multiple snapshots quickly 
and easily. It’s great for tracking performance 
problems introduced over the development 
lifecycle and for developing performance 
standards. This gives you a performance baseline 
against which every team member can measure. 


sales@microway.com.au 


Prices, correct at time of going to press, may change without notice. Product names are registered trademarks of their respective owners. 


BEST PRICING 


BEST 


VMWare 
Workstation 


VMware delivers a flexible and safe 
computing environment by providing 
multiple virtual computers on a 
single PC. VMware is the solution for: Windows with 
Linux; Developers; Technical Support; Quality 
Assurance; Web Developers. You can create a whole 
set of virtual computers — whether you operate under 
Linux, Windows NT, or Windows 2000. And forget 
about dual booting. You can run them all at the same 
time. All your work takes place on one machine. You 
save money and increase efficiency. 


$710 


Workstation 


HDK3.5 (2000) 


HDK is a powerful, yet simple to 
use authoring tool for creating 


=== Web based information systems 
———— my 
—— and Windows Help systems. 


HDK gives you the ability to 
seamlessly deliver your 
documentation system in any format from 
traditional paper manuals, to WinHelp, web-based 
HTML, HTML-Help and Java enhanced HTML. 
That’s one project, multiple output formats...all at 
the push of a button. From paper manuals to the 
Web, to WinHelp and back to paper in one 


automated process. 
$1095 
VisualSoft Crypt 


VisualSoft Crypt is an Award 
winning COM Component, which 
provides strong cryptographic 
Algorithms for Secure Web 
Application Development. It 
supports cryptographic algorithms - AES, Serpent, 
Mars, DES, TDES, BlowFish, IDEA and RC4-look a 
like. It can be used to encrypt/ decrypt string or file 
data to provide strong security for sensitive and 
confidential information like Passwords, Credit Card 
Numbers, Mail, Transaction data and any other 
private information travelling on the Web. Winner of 
Software Development Magazine's 


$ 755 Jolt Productivity Award. 
FEATURED PRODUCT 


InstallShield 
& i Professional 


Windows Installer Edition 


InstallShield Pro - Windows 
Installer Ed 2.0 is the most 
comprehensive setup- 
development solution that takes full advantage of 
Microsoft's latest installation standard. Setup 
authors can take advantage of the powerful 
features of the Windows Installer Service, including 
automatic repair of corrupted files, advertising, 
component management, and rollback to a 
system's original state after a failed installation. 
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Tel: 1300 55 33 13 


SERVICE 


F 5 InstallShield 
SS f Express 3.5 


Custom Installations out of 


Le, | the Box in Minutes. 
NEW 7 InstallShield Express is the easiest 
> VERSION! and most economical solution for 


a quickly developing straightforward 
installations, Express lets you create genuine 
InstallShield installations in less than a day, using a 
visual installation checklist as a guide. Express fits 
any budget and offers an upgrade path to 
Installshield Developer 


$645 


‘iam Protection PLUS 


The Protection PLUS system is an 
advanced copy protection toolkit 
that ensures proprietary security 
and control. Create fully/partially 
functional demonstration copies of 
your applications, incorporate periodic or permanent 
disabling logic with remote unlock capabilities, 
limit/restrict network client/server access of your 
applications, dynamically establish workstation 
parameters and prohibit your applications from being 
copied onto unauthorised computers. It also includes 
a Client Tracking System that stores protection, 
version and historical information for 


$ 755 each client and distributor. 


Leadtools 


LEADTOOLS is a family of 
comprehensive toolkits designed for 
programmers to help you integrate 
raster, document, medical, 
multimedia, vector and Internet 
imaging into your applications quickly and easily. 
LEADTOOLS gives you the most flexible and 
powerful imaging technology available, offering 
development support for File Formats (60+), Image 
Compression, Image Processing, Colour Conversion, 
Image Display, Special Effects, Scanning/Capture, 
Common Dialogs, Printing, DICOM, Annotations, 


Forms Recognition, Document 
§ 1 O7 Clean-up, PDF, OCR, Barcode, 
FEATURED PRODUCT 


Database, and more. 


RoboHelp 
Office 


The industry standard in 
Help Development 


RoboHelp Office is a powerful suite 
that lets you create full-featured Help systems for 
your Web based applications and software 
applications. This versatile tool automates the Help 
development process making it fast and easy to 
create full-featured Help. Simply add a RoboHELP 
system to your application to significantly improve 
usability. 


*Purchase RoboHelp Office 9 NOW 
and get Fullshot Software for free! 
Expires 31 August 2001 


www.microway.com.au 


All prices include GST. 


BEST SUPPORT 


MicroWa 


PROGRAMMING TOOLS 


aly, 


UltraSuite 


Along with the familiar, easy-to- 
use interfaces of Microsoft 
Outlook, Microsoft Office and 
Windows Explorer, UltraSuite 
provides an innovative grid 
component-UltraGrid, plus UltraToolBars that is 
loaded with functionality. With 45 controls, 
UltraSuite includes everything necessary to create 
solutions that look great, and run efficiently, faster 
than ever before. There’s nothing like the 
productivity, flexibility and support of UltraSuite. 
Make the most of your investment - UltraSuite is 


$ 2 1 5 available with optional 


MicroWay guarantees that our prices 
are lower than buying directly from 
overseas Suppliers and we'll guarantee 
to match all local prices. So you know 
that when you buy from MicroWay, 
you get a fair deal. 


“conditions apply 
Subscription Service, or the 
UltraSuite Enterprise Edition. 
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Chart FX Client Server is a COM 
based product for developers that 
allows you to deploy powerful 
charts using VB, Visual C++, 

YW Delphi and Access: The Wizard 
manager will help set-up your preferred chart type 
and visual attributes, without even handling 
properties or writing code. The Annotation Extension 
allows programmers and end users to draw shapes 
and import images that can be used to highlight 
important data in the charts. With 400+ Properties, 
Methods and Objects, Chart FX Client Server 


$ 1 08 provides a state-of-the-art help 


TRAINING 


YABELD | 


Vicraway Foiming 


for InstallShield, RoboHelp and HDK 
We have now scheduled the following 
training classes in August and 
September: 
= Introduction to InstallShield 
Professional - Windows Installer 
Edition (2 days) 
- Introduction to RoboHelp Office 
(2 days) 
- HDK 2000 Training (2 days). 
These are all hands on workshops 
that are being held in Melbourne and 
Sydney. 
To book and for more information 
visit our training area’or call 
MicroWay on 1300 55 33 13 
or email us. : 


PARASOFT PRODUCTS 
15% OFF 


When you place your order before 31 August 2001 
: ParaSoft 
iInsure++ 


Insure++ is an automatic runtime error- 
detection tool for C/C++ applications; it detects 
a variety of problems, including memory 
corruption, memory leaks, pointer errors and 
/O errors. It works like an X-ray machine, 
automatically exposing hidden defects. When 
you test your code with Insure++, you get 
incredibly thorough results with minimal work. 
Works with Windows, Linux and UNIX 


MAREE 


PROGRAMMING 
MicroWay is a registered trademark of MicroWay Pty Ltd, ABN 56 129 024 825 


file with Dynamic HTML and 
Drop Down menus. 


Azalea 


Azalea’s bar code software is 
available for Microsoft Windows, 
Mac, and other platforms, and 
include fonts in both TrueType and 
Type 1 PostScript format. Using these fonts, you 
can print from within any application including 
databases, spreadsheets, word processors, or your 
own custom applications. Printing bar codes using 
fonts is faster than using graphics like bitmaps 
(.BMP). Fonts are easy to integrate into your 
favourite applications and are less restrictive than 
closed, proprietary labeling 
From applications. Fonts are by far the 


$ 2 1 5 best and most elegant way to 


implement bar code printing. 


FEATURED PRODUCT 


»® MKS Toolkit for 
aati 
Developers 


The Power of 
UNIX on WINDOWS! 


Now all your UNIX knowledge is just as useful on 
Windows. MKS Toolkit for Developers is a Windows 
product for software, script, and Web developers, 
who can choose from UNIX-style command-line or 
graphical Visual Studio build environments. It is 
ideal for developing common, cross-platform scripts 
for UNIX, Linux, and Windows, from a single 
Windows desktop. Uses the power of more than 
300 UNIX and Windows command-line software 
and Web development utilities. 
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In a multimedia world, timing is everything. 
Andrew Parsons looks at how to use timer classes 
in the .Net framework. 


32 Hog Heaven: Software with Grunt 


Once blue-sky, Gigahertz processors are well and 
truly here. But can we do more with all that 
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Dr Carlo Kopp looks at disciplines for writing 
software to high-performance processors. 
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Why on earth do companies trust million-dollar 
e-business strategies to the HTML Post com- 
mand? Richard Chirgwin looks at what breaks 
e-commerce transactions — and how to avoid it. 


28 Distributing Applications 


surrounding distributed applications. 
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Compuware can help. Take the mind-numbing task of scanning 
for memory problems and performance bottlenecks, for instance. 
With our DevPartner Java Edition, you can pinpoint memory-devouring 


code and improve performance in minutes. 
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é Scandal of Bank Security 


By Richard Chirgwin, 
Group Editor 


Group Editor 
Richard Chirgwin (02) 9080 4456 
richard.chirgwin@informa.com.au 


Journalist 
David Masters 


Sub Editor 
Colleen Mitchell 


Contributors 

Pamela Clark-Dickson, Kate Fitzgerald, 
Dr Carlo Kopp, Andrew Parsons, Andrew 
Perry, Tony Stevenson, Gordon Turner 


trl-U — the view page source shortcut in 

Netscape — is one of those wonderful 

commands that exists not for end users 
but for developers and for curious amateurs. 

Sometimes, though, all it does is spoil 
things. Things like, for example, Internet banking. 

When banks first started giving cus- 
tomers Internet access to their accounts some 
years back, they put a lot of effort into writing 
stand-alone plug-in applications that were 
secure, demanding, slow and inconvenient. Of 
course, when you're talking about end user 
software, convenient, easy and fast are more 
important than secure, so these days, banks are 
starting to use JavaScript to open pretty bank- 
ing windows at the user’s browser. 

And here’s where Ctrl-U comes in: 
when, out of curiosity, I decided to look at the 
JavaScript window of my own bank, I was 
horrified to find that the client JavaScript 
embeds my account number and a few other 
details that I’d rather were kept in the bank’s 
system than mine. 

Just how persistent that JavaScript is, I 
don’t know — but we can make a guess. As a 
test, I cleared all my caches and logged into 
Internet banking with my own bank: it took six 
seconds to load the applet (from mouse click to 
‘done’), and thirteen seconds to execute the 
login (from clicking ‘login’ after I’d entered 
account number and password). 

Then I logged out and ran the applica- 
tion again — without clearing my cache. This 
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time, the applet took two seconds to start; fair 
enough, since it’s already in the cache. But exe- 
cuting the login was also accelerated — it was 
down to around four seconds. 

In other words, my ‘secure’ Internet bank- 
ing application keeps some login information 
permanently in my browser cache. 

We've all heard by now that the CBA (not 
my own bank, by the way) has suffered fraud 
through Internet channels recently. It’s 
declined to describe the techniques used, obvi- 
ously feeling it’s better to leave the information 
in the hands of a couple of thousand crackers 
than to let computer-illiterate newspaper 
readers know what’s going on. 

Out in Joe Public land, people have been 
surprised that banks could let security suffer in 
this fashion. I’m not surprised at all: in their 
quest for convenience, it seems that banks are 
routinely compromising security. And that’s 
why I use the phone instead — the home phone, 
not the IP-based office phone, because I don’t 
want anyone sniffing my account numbers. 


Richard Chirgwin 
Group Editor, IT&T. Informa Publishing 
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Hopelessly exaggerated claims such as “This product 


saved us billions of dollars!” often appear here. 


Tired of ad fluff? Get essential developer resources with an MSDN’ Subscription. 
Want to get priority access to over 1,000 continuously-updated product 
downloads, DVDs, or GDs with the latest tools, platform, and server 
technolegies? Get an MSDN Subscription, and start building your next 
big thing. msdn.microsoft.com/ subscriptions or your nearest reseller. 


McCANN MSDNOOOt 


News in Brief 


Rational Software formed a 
strategic agreement with communi- 
cations company Ericsson for it to 
use the full Rational development 
suite to accelerate the development 
of applications for third generation 
devices and networks. Rational is 
claiming that the use of its products 
have cut development time by 25% 
and produced applications with 
80% less bugs. Locally, Rational 
works closely with Ericsson in 
Melbourne and its several hundred- 
strong developers across three 
locations, providing training, imple- 
mentation and software process 
services and product mentoring. 


Microsoft has fired a salvo at 
IBM and its subsidiary Lotus in 
he battle for the corporate e-mail 
platform, claiming that Exchange 
now dominates the market with 
53 million seats versus Notes’ 
27 million. These ‘independent’ 
research figures from Ferris 
Research contradict figures 
released earlier this year at 
Lotus’ developer conference, 
Lotus Fusion, which put Notes as 
a clear leader. However, there is 
a trend emerging of ISVs looking 
to develop for both platforms, 
indicating at least a close race 
from the two leading collabora- 
tive platforms. Lotus has also 
moved into Microsoft territory, by 
providing a Web Services toolkit 
to enable organisations to 
wrapper Domino data and logic 
with Internet standards such as 
XML, SOAP, WSDL and UDDI, and 
embed custom-built Domino ser- 
vices in non-Domino applications. 


fod 


The UN/CEFACT (Centre for Trade 
Facilitation and Electronic Business) 
proposes to adopt the content 
specifications, including the busi- 
ness process modelling and core 
components sections, originating 
from the ebXML Initiative. The 


continues over... 


My Casino Now Someone Else's 


Online gambling pioneer My Casino had a smooth 
run in the media last year, being cited as one of the 
few outfits to weather the dotcom storm. 

However, a shutdown prompted by credit 
card fraud followed by Australia’s new online 
gambling regulation has seen the shreds of the 
company sold to Southern Equity Holdings. 

Last year, the company announced that it 
had suffered an extended period of fraudulent 
transactions and announced an upgrade to its 
credit card processing facilities — which had pre- 
viously been provided by Barclay’s Bank. The 
online sting cost the company more than four 
million dollars between April and July 2000. 
Credit card processing was suspended in July 


2000 and resumed in September 2000. 
British Telecom’s mobile Internet portal, Genie, is 


Wireless 


looking to start-up in Australia, with VP for Business 
Development, Ian Dench, recently spending some 
time in the country in an effort to drum up business. 

It’s not clear as yet whether Dench’s attempts 
were successful: while here it was reported that 
he spoke to Telstra OnAir, among others, but there 
was no confirmation of a deal. 

Genie’s entry to the market may be prob- 
lematic in that its business model — that of provid- 
ing a Web and mobile portal for its partners and 
customers, including the technology platform and 
technical support — is already replicated to some 
extent within the Australian mobile carriers it is 
targeting as customers. 

Dench, however, says that Genie intends to 
offer services and applications that might comple- 
ment existing offerings from carriers, and to 
target ISPs as well as mobile operators, although 
“it might take a little while for us to work out 
what the opportunities are to work together”. 


At the time, My Casino announced that 
false credit card numbers had been used to place 
fraudulent wagers on its systems. 

In December, in response to the Federal 
Government’s proposed Internet gambling morator- 
ium, My Casino committed itself to continuing its 
Vanuatu-based operations; however, by April, disap- 
pointing revenues and growth led the company to 
decide to discontinue its wagering operations. Finally, 
in July, the curtain fell on the operation, with an 
announcement that its Vanuatu-based Internet casino 
assets would be sold to Southern Equity Holdings. 

Exactly what properties this sale involves is 
not clear. My Casino’s assets in Vanuatu are held by 
its subsidiary in that country, International Data 
Processing Limited, which was reported in Vanuatu 
as having ceased operations simultaneously with My 
Casino's ASX announcement. i Richard Chirgwin 


in Australi 


Dench told Systems Developer that Genie is 
seeking to propagate a “powered-by” business 
model in the region, which means that carriers 
and ISPs could white label its products — which 
may include such applications as a customer 
registration engine, home page, personalisation 
facility, personal information management and 
unified messaging. 

The company is also looking at an appli- 
cation service provider business model, and to 
develop content partnerships while leveraging 
its existing relationships with vendors such 
as Openwave. 

“We are working with a number of 
people in the region (including carriers such as 
Far EasTone in Taiwan and LG Telecom in 
Korea), that enables us to drive future devel- 
opments in a way that some operators cannot,” 
Dench said. Genie Asia currently has Web and 
WAP portals operating in Hong Kong and 
Japan (as well as several European countries), 
and a WAP portal operating in Malaysia. @ 
Pamela Clark-Dickson 


systems Developer August 2001 


AU1CKA01 


United States and/or other countries. © 2001 IBM Australia Limited. ABN 79 000 024 733. All rights reserved. SOMSFT0343 


© 
= 
& 
< 
& 
© 
fe) 
2: 
fo) 
oO 
a 
o 
= 
fel 
3) 
& 
= 
ao 
Q 
® 
= 
a 
=) 
a 
iss] 
Cc 
2 
a 
c 
= 
2 
= 
xo) 
Q 
= 
@ 
£ 
o 
ce] 
g 
D 
o 
2 
2 
2 
D> 
oO 
2 
o 
2 
6 
° 
Da 
Ae) 
a 
7) 
® 
& 
oO 
s 
2 
® 
ro) 
= 
3 
FS 
© 
o 
2 
o 
=< 
[om 
op] 
a 
= 
= 
a 


IN THEIR SEARCH FOR BETTER SOFTWARE, THE VISITORS FROM A PARALLEL UNIVERSE FIND 


WEBSPHERE ror E-COMMERCE 


HELPED WHIRLPOOL’S B2B AND B2C SOLUTIONS ACHIEVE 100% ROI IN LESS THAN 9 MONTHS 


IT’S A DIFFERENT KIND or WORLD. 
2) business software Call 132 426/software or visit ibm.com/software/au YOU NEED A DIFFERENT KIND or SOFTWARE. 


News in Brief 


ebXML Initiative, a joint venture 
between UN/CEFACT and the 
Organisation for the Advancement 
of Structured Information Standards 
(OASIS), concluded when it deliv- 
ered and approved its final specifi- 
cations in Vienna in May 2001. 


Lotus has expanded an existing 
agreement with the Australian 
Department of Defence, which 
sees the department taking on an 
enterprise licence agreement (ELA) 
for the Lotus suite. The agreement 
covers the use of the Domino 
family of servers; Lotus Learning- 
Space, Sametime and Quickplace. 
The ELA allows the department to 
install ELA software on any num- 
ber of client and server computers 
for the length of the agreement. 


BEA and the University of 
Queensland have announced a 
relationship to provide a post- 
graduate course using BEA 
software that is called the Mas- 
ters of Technology Management 
(MTM). BEA will collaborate with 
the students and provide face-to- 
face meetings. It is working with 
UQ to develop methodologies and 
materials around its products 
such as Campaign Manager and 
Process Integrator and is creating 
eBusiness scenarios addressing 
infrastructure architecture. 


Aurema, an active resource man- 
agement (ARM) developer for 
computer servers, has become 
the first Australian company to 
receive funding from the Intel 64 
Fund. The fund has been set up to 
encourage development for the 
new range of Intel 64-bit proces- 
sors (IA-64) beginning with the 
problematic Itanium chip. Aure- 
ma’s ARM technology (ARMTech) 
is claimed to enable server con- 
solidation and provide enhanced 
QoS on servers using Intel chips. 
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Siemens Seeks Partners 
for Internet Database 


Databases 


An Internet infrastructure database built by 
Siemens’ Internet Metrics group in Melbourne is 
to form the basis of a variety of analytical prod- 
ucts targeting various e-commerce sectors. 

The first, shipping under the NetAcuity 
location server brand from partner Digital Envoy, 
gives users the location of incoming connections, 
a capability which Siemens Telecommunications’ 
Internet Metrics manager Ken Doig says can be 
applied to content customisation, localising 
advertising, software distribution, digital rights 
management and fraud detection. 

Doig told Systems Developer the Internet 
Metrics group, which forms the basis of Siemens’ 
global centre of excellence for Internet mapping, 
has spent nearly two years creating the database 
which forms the basis of its development plans. 

The NetAcuity product is the first of what 
the company hopes will be many product and 


service offerings, all of which will be founded on 
the infrastructure database. 

Having acquired, analysed and processed the 
raw data, Doig explained, the systems are then deliv- 
ered to the customer in the form of a server which he 
said will generally be overlaid by third-party value- 
adds (such as in the NetAcuity offering). 

With IP address to location mapping now on 
the market, he said Internet Metrics is “now actively 
engaged in enhancing the products for online fraud 
detection, which is a major issue for consumers to 
have confidence in using the Internet”. 

Fraud detection, he said, will be based on the 
ability to compare incoming transactions against 
known sources of fraudulent transactions, or to help 
detect whether the location of the incoming trans- 
action correlates with the delivery address. 

This capability, he said, is now the subject 
of “a number of relationships with companies in 
the US who are aggregation points for online 
transactions. We provide the Internet infrastruc- 
ture information, and they provide transaction 
case histories.” 


Market education is Doig’s major focus 
right now, partly to help recruit partners to 
develop new applications. “We're looking at 
wholesaling the database for other companies 
that need it for a specific application; we're look- 
ing at co-development arrangements for people 
who need more detailed integration with the 
database; and we're looking at reseller arrange- 
ments with people who have an active relation- 
ship with major Web sites.” 

Because the data is updated on a weekly 
basis, most of the ISV relationships would 


¢ 


We're looking at wholesaling the 
database for other companies that 
need it for a specific application... 
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involve server colocation of some kind, Doig said. 
If, for example, a third-party application was 
colocated with a Siemens-hosted server, it would 
simplify the task of pushing updates out to the 
server on a regular basis. 

The current offering, NetAcuity, is 
designed to return the country, state and city of 
origin of Internet traffic, along with a confidence 
level for each component. The NetAcuity server 
is designed to be colocated with Web servers, 
with interfaces for simple integration with Web 
applications. 

At entry level, the customer can simply 
send a UDP query containing an IP address to 
the server, with the answer returned as a text 
string. Siemens claims up to 99% accuracy at the 
country level. NetAcuity is available for all com- 
mercial operating systems, supports C, Perl and 
Java APIs, and claims a response of under one 
millisecond. @ Richard Chirgwin 
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Most DSL/Broadband 


providers don’t have 
the backbone for it! 


At FLOW Communications we have 
spent the past three years building 
a state-of-the-art network backbone 
enabling us to deliver reliable high- 
speed DSL/Broadband solutions. 


FLOW Broadband Solutions Offer: 
* Speed, in excess of ISDN and up to 
50 times the speed of dial up connections. 


° Reliability, through our network 
guaranteeing 99% network availability. 


¢ Accountability, our network operating 
centre’s 24 hour, 7 days a week monitoring 
with detailed reporting. 


* Convenience, uses your current phone line 


allowing simultaneous voice and data traffic. 


“1 feel the need 
for speed™” 


CIF ¢ 


The FLOW network allows us to 
provide “Always On™” high-speed 
Internet access in a variety of packages 
designed for your business needs from 
SOHO to large scale applications. 


FLOW Communications range 
of solutions include: 

Web Hosting 

Virtual Private Networks 
Co-Location 

Virtual ISP 


Facilities Management 


Find out how FLOW can get 
your network racing call 
today on 1800 500 406 


Or visit www.flow.com.au 
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SIMPLE SOLUTIONS IN A COMPLEX WORLD™ 


CA Comes to Bluetooth Party 


Wireless 


After being snubbed by Microsoft many 
were predicting the future for Bluetooth in 
the enterprise was a gloomy one — but after 
recent announcements, including a tie-in 
with another software giant, Computer 
Associates (CA), Bluetooth technology com- 
pany Red-M is looking a little rosier. 
Following soon on the heels of 
Microsoft’s decision not to support blue- 
tooth in Windows XP, CA announced 
that it would integrate its Unicenter TNG 
enterprise management solution with 
Red-M’s Bluetooth networking products 
and technology. This means that users of 
CA’s solutions will be able to monitor the 
functions of a Bluetooth network from 
within Unicenter, and be notified of any 
congestion or interruption of service. 


Red-M joins a list of companies claimed 
as CA Mobile eBusiness Management Wireless 
Partners including Nokia, Qualcomm, Kyocera, 
Motorola and Palm — whose technologies have 
been integrated into the Unicenter platform. 

Local Red-M Sales Director Ian Lyall 
was buoyant on the recent win, and in 
response to the comments from Wireless LAN 
vendors (using the 802.11 standards) who had 
suggested “Microsoft’s decision had basically 
killed off Bluetooth in the enterprise”, Lyall 
suggested that the software company would 
be forced to support the technology. 

“Microsoft will probably have to provide 
adaptors into their software,” Lyall said, and for 
a number of reasons, its continuing member- 
ship of the Bluetooth Special Interest Group 
(SIG) and the pervasion of Bluetooth in devices. 

Indeed Microsoft's own Web site 
details that it is still ‘committed’ to sup- 


porting Bluetooth in future Windows and 
Office releases. Currently Windows supports 
Bluetooth as a wireless bus, complementing 
USB and IEEE 1394. However, according to 
Microsoft, next editions will feature device 
discovery and configuration; synchronisation 
and file transfer through OBEX (object 
exchange protocol); and dial-up networking 
over cell phones and null modems. 

Coming on top of the CA announce- 
ment, Red-M also secured an agreement 
with Motorola, whereby its Bluetooth access 
servers and access points will be incorporated 
into the communications manufacturer’s 
mobility platform. The two companies 
will work together on client accounts to 
deliver Bluetooth business solutions; 
they will also combine for development 
projects and cross-promotional activities. i 
David Masters 


Playing by the Rules 


Enterprise Apps 


Pegasystems will launch PegaCRM Email 
Manager this month, which will be sold as 
part of the vendor's PegaCRM product 
“because we think that is where it adds the 
most value”, Pegasystems founder and 
CEO, Alan Trefler, said. 

Email Manager will leverage Pegasys- 
tems’ rules-based architecture to identify the 
customer and understand the context of that 
customer’s interaction with the organisation 
by using XML to gather information about 
the customer from back end data resources. 

The product will then use business 
rules to construct a personalised response, 
which is shown to the customer service rep- 
resentative before it is sent to the customer. 

Trefler said that in comparison to 
competing products, PegaCRM Email 


Manager is “far richer in its ability to apply 
rules”, and that its integration with back 
end systems delivers it the information nec- 
essary to provide a personalised response. 

Also, Pegasystems will release the 
PegaRules Process Commander, a product it 
announced in February. Trefler describes 
PegaRules Process Commander as a “general 
purpose work portal”, which will “support 
complex processes and outsourcing” and use 
PegaRules (a rules engine) to automate the 
fulfilment of complex interactions. 

The product will include service level 
management so that organisations can spec- 
ify goals and deadlines based on who the 
customer is. 

“It uses a multi-layer escalation 
model to increase priority, re-route or send 
communications as items pass their goals 
and deadlines, and it will also report on 


how people are doing relative to their ser- 
vice levels,” Trefler said. 

Pegasystems has also been working 
on a series of business processes templates 
for the retail banking, private banking, pay- 
ment and exceptions, insurance and health- 
care industries — templates which have 
resulted from the company’s experience 
within its customer base. 

“For years we have had the engine 
and customers had to create their rules 
from scratch,” Trefler said. The templates 
serve a three-fold purpose: reduction in the 
cost and speed of implementation, and 
enabling organisations to leverage 
Pegasystems best practice. 

There are three early adopters for the 
templates, including a mutual fund, a bank 
and a healthcare entity, Trefler said. @ 
Pamela Clark-Dickson 
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Mobility Server Gets Trials 


Sanchez told Systems Developer that this 
product is very similar to MIS, but it only oper- 
ates in the enterprise market, and that Microsoft 


Wireless 


Mobility is a 

great opportunity 
for Microsoft... 
we are very 
serious about it... 


Mobile Information Server 


Microsoft’s focus on the mobility market, as 
opposed to its traditional PC and server markets, 
took on renewed energy in Australia in late July 
with the announcement that its Mobile Informa- 
tion Server 2001 is currently in trial with several 
carriers and corporates. 

“{Mobility} is a great opportunity for 
Microsoft,” the vendor’s regional manager, 
Wireless Mobility, Harvey Sanchez, said. “We 
are very serious about it and we have been 
putting a lot of resources and money into it.” 

It’s a business that Sanchez has spent the 
last eight months building in Australia, with MIS 
2001 seen as “an important revenue opportunity” 
for Microsoft. 

Telstra and Vodafone are among the Aus- 
tralian carriers piloting the Carrier edition of MIS 
2001, while Merrill Lynch and the South Australian 
Government are piloting the Enterprise Edition. 

The carrier pilots have involved enabling 
wireless access to corporate Exchange 5.5 and 2000 
servers, with Telstra and Vodafone testing MIS 
against their existing wireless infrastructure and 
gateways, and the C&G pilots involving enabling 
their mobile users access to information held in 
back and front office application databases. 

The two carriers are committing to having 
a production service of MIS (Carrier) ready for 
corporates deploying MIS (Enterprise), according 
to Sanchez. 

MIS 2001 is transport independent, so it will 
operate over the GSM, GPRS and CDMA networks 
currently deployed in Australia. 

Nor will a tremendous amount of server 
capacity be required to deploy a full production 
environment supporting “hundreds of thousands 
of simultaneous connections”: Sanchez said that 
the system requirements are for two servers inside 
the carrier's demilitarised zone — one for produc- 
tion and one for backup. 

While Microsoft has held discussions with 
Optus, that carrier is in the process of deploying a 
mobile office solution using a product called 
Workstyle Server — the product of yet another 
joint venture, this time between Microsoft and 
Qualcomm, called Wireless Knowledge. 


Australia is talking with Optus about evolving to 
MIS. The company hasn’t engaged Hutchison as 
yet, preferring to focus on Tier 1 carriers. 

The Merrill Lynch pilot involves ensuring 
their mobile users can access up to date informa- 
tion, in a device-independent manner, from not 
just Exchange but also specific Merrill Lynch finan- 
cial applications that are currently in development. 

While MIS 2001 can also be deployed 
independent of carrier, Sanchez says Merrill 
Lynch sees the fact that Microsoft has also pro- 
duced a Carrier version of the software as a 
“very important distinction”, and is therefore 
working with the trial carriers to be a “corpo- 
rate to carrier connected organisation”. 

Another Microsoft development on the 
horizon in the wireless space is the development of 
smart phones, codenamed Stinger and Merlin, 
which will enable carriers to deliver customised 
handsets for subscribers. 

Microsoft is conducting trials with Telstra 
— one of just four carriers selected worldwide — to 
test software, services and applications for its 
smart phones. 

“We are putting up a team of people to 
help the carriers to go to those trials, and the 
carrier, as part of the trial, will set up a team and 
resources in order to get as much testing as pos- 
sible with those devices with regards to billing 
and infrastructure,” Sanchez said. 

Carriers are excited about smart phones, 
Sanchez said, because it means that they will have 
control over what goes into the phone. This means 
they will be able to develop differentiated services 
and applications, which may in turn compel a 
customer not to churn to another carrier — as 
customers tend to do once their contract expires. 

“It is more about providing the pipes and 
the value added services, and you can do that with 
these devices,” Sanchez said. 

Samsung, Mitsubishi, Sendo and HTC are 
the handset manufacturers currently involved in 
this area. Ml Pamela Clark-Dickson 
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DOES YOUR FRONT END KNOW 
WHAT YOUR BACK END IS DOING? 


WORKING TOGETHER FOR BUSINESS INTEGRATION 
EntireX, Tamino and TIEMA 


EntireX EntireX is an enterprise middleware solution that is highly flexible and component- 
based for integrating enterprise applications across heterogeneous operating systems. Solutions built 
on EntireX can be implemented quickly and are easy to maintain, keeping the total cost of ownership 
low, while delivering highest performance and unmatched reliability. 


Tamivo. The Tamino XML Platform is a comprehensive set of products for building 
enterprise-scale XML-based applications. It consists of storage, development and _ integration 
components for XML and non-XML data and applications. These are basic prerequisites for many 
e-business applications such as supply chain management, document management and e-commerce. 


EITIEMA TIEMA is for Windows-to-CICS transactions. TIEMA enables online CICS transactions 
to be accessed from a Windows environment using standard Microsoft tools and without requiring 
any modification to the source code. 


Visit our web site or call us on 1800 064 970 for detailed product information. 


6 SOfCWARE AG 


The XML Company 


www.softwareag.com.au 


Making Business Integration Work 


Selby On Strategy 3636 


Mono Opens Up Net 


Net News 


Nick Abbott, MSDN product manager 


Despite early reports from the US suggesting 
a degree of apathy, local Microsoft developer 
Tools and MSDN product manager, Nick 
Abbott, has stated the software giant is “very 
pleased” with an open-source project to clone the 
.Net development platform called ‘Mono’. 

Abbott went on to describe the project as 
“a ringing endorsement of the .Net strategy and 
Microsoft’s vision of XML Web Services”. 

This will see a .Net development environ- 
ment available for use with Linux. The project 
being led by US-based company, Ximian and its 
head developer Miguel de Icaza, aims to provide 
a range of open-source development tools based 
on the .Net standards, including a compiler for 
C#, .Net executable and visual development 
tools. Ximian will use the standards that 
Microsoft submitted to the ECMA and the 
World Wide Web Consortium (W3C). 

The project plans to build on Ximian’s 
extensive work with GNOME (GNU Network 
Object Model Environment), using GNOME 
infrastructure components (such as the GUI tools, 
XML libraries and CORBA implementation) to 
implement the various pieces of the .Net API. 

The MonoNet runtime implements .Net’s 
JIT engine (and a byte code interpreter for 
quickly porting to new systems), class loader, the 
garbage collector, threading system and metadata 
access library. Currently Ximian is evaluating 
various mechanisms for its JIT engine, which 
may include using ORP, GNU Lightning or the 
NJ Machine Toolkit. 

While supportive of the project, Abbott did 
say that Microsoft will “expect Ximian to comply 
with our ECMA IP {intellectual property] licensing 
conditions, which imposes certain limits on their 
work with our IP including .Net”. 

A clash of ideologies could well arise with 
Ximian and Icaza, key developers for the 
Linux/GNOME user interface — a true open-source 
environment — coming up against the more 
restrictive ‘shared source’ philosophy of Microsoft. 

However, this development, in addition to 
a recent announcement that Corel will work with 
Microsoft to develop a shared source implemen- 


tation of the C# language and common 
language infrastructure (CLI), displays a willing- 
ness to ‘open-up’ for the once predominantly 
proprietary vendor. With Corel, for instance, 
Microsoft will implement the platform on 
FreeBSD as well as Windows, and will publish 
the source code (under the shared source model) 
for use for academic, research, debugging and 
learning purposes. 
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This contrasts strongly with Java... 
a proprietary product of Sun Microsystems, 
while C# is an open standard. 
99 


Under the shared source philosophy (its 
response to calls for a more open model), 
Microsoft will share source code with partners 
and customers in a mutually beneficial scenario 
(such as allowing developers free access to 
resources to develop for its platforms). 

Many have proclaimed the movement 
an attempt by Microsoft to make up ground on the 
large Java development community; especially the 
increasing use of J2EE in the enterprise applica- 
tions environment. Abbott did fire a salvo at Sun 
by claiming that Microsoft’s strategy is: “a sincere 
effort to give developers tools to create the inter- 
operable applications customers tell us they want. 

“This contrasts strongly with Java, which 
is a proprietary product of Sun Microsystems, 
while C# is an open standard.” 

Posts on the advogato.org Web site (a site for 
free software developers) in response to both the 
Mono project and the shared source model, has 
been mixed. Most applaud the development efforts 
of Microsoft, with one commenting that “Microsoft 
are playing nice with SOAP and C#”; while main- 
taining a lot of the ‘MS is evil’ mentality and a good 
deal of scepticism about its intentions. 

Still, developer sentiment towards .Net 
remains increasingly positive, with Ximian’s 
decision to clone the development platform 
driven by its belief that “it is a great platform to 
build on”. David Masters 
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Introducing RoboHelp Enterprise, the ultimate Help solution that uncovers how peo- 


\d 


ple are using your Help systems. Intelligent Help software featuring RoboHelp 
Enterprise Server technology provides user feedback, natural language search and 
project merging so you can improve the effectiveness of your Help systems and appli- 
cations. RoboHelp Enterprise continually delivers the same feedback that expensive 


usability studies offer — but for a fraction of the cost. 


You can also easily leverage your existing help projects because it includes all of 


the features in RoboHelp Office and more. 


RoboHelp Office 
The sioniele Standard in Help Authoring 


> full-featured Help quickly and easily. RoboHelp Office makes it easy to 
create professional, full-featured application Help and documentation from one 
source project - with point-and-click and drag-and-drop ease. With RoboHelp Office, a 
you can develop one project and deploy it anywhere. RoboHelp Office gives you a — 


stable and reliable option for cross-browser, cross-platform Help to smooth your 


successful transition to Web-based Help. It’s used by moretechnical writers, Help 


developers and documentation professionals worldwide than any other Help tool. Ronee) 


ffice z.. 


Plus, it has won more awards than all other Help authoring 


tools combined. 
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tralia’s Major Distributor of Programming Tools! 


Ausi 


For further information visit http://www.microway.com.au/robohelp 
OR CALL MICROWAY ON 1300 55 33 13 
OR EMAIL INFO@MICROWAY.COM.AU 


timing in -net 


Yim 


Now that Microsoft 
is finally bedding 
down the final 
version of Its .NET 
technologies, we 
can start looking 
at the details . . . 


t can be hard to keep up with Microsoft in its 
| quest to bring us the latest and greatest 

development tools. As a professional pro- 
grammer, you've got a responsibility to up-grade 
your skills to the most modern versions, and 
when Microsoft revamps its entire toolset the way 
it has with the new .NET Technologies, even the 
most senior developer should be sitting up and 
taking notice. 

As part of its strategy to gain early adopters 
of the new technology, Microsoft released first 
Beta 1, and now Beta 2, of the entire Visual Stu- 
dio.NET suite, to the programming world. This 
has been beneficial in a number of ways but those 
who may have depended on commands and solu- 
tions described in Beta 1 (ignoring Microsoft’s 
claims that nothing was set in concrete) may be 
dismayed to discover some of the newer and neater 
aids are no longer present in the Framework. 


.NET Framework 


The major benefit of seeing the new technology is, 
of course, the ability to gain an insight into how 
programs may need to change, and how they CAN 
change, to take advantage of newer and more effi- 
cient algorithms and techniques. Those program- 
mers who research VS.NET will be prepared for 
the new wave when it is released (according to Bill 
Gates, definitely before the end of 2001). 

In fact, if you only spend an hour or two 
every week looking at the Framework and exam- 
ining just a couple of .NET classes, you'll be well 
on the way to being a valuable resource in the 
fast-paced development world. 
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timing in -net 


rverything 


To aid you in furthering your education, 


Systems Developer will bring you up to date with 
specific classes and solutions that will be part of 
your core knowledge in learning .NET. This 
month we look at an integral part of most pro- 
grams, timers. 


In The Past... 


At some point or other, almost every application 

will need the ability to time something. Whether it 

is to keep track of how long a particular activity is 

taking, or providing an interval between processes, 

even the smallest utility programmer will find that 

they can’t get away from the concept of time. . 

Most programmers have heard the tall At some point 

(and not so tall) tales of programmers in the or other, almost 

days of yore, who used to implement weird and ee 

wonderful ways of making their programs time every application 

the right way. will need the ability 
From positioning data on the drum in a to time something. 

certain spot so that the drive heads had to go 

through another full revolution to get to it, to 

various loops and checks on the system clock, 

programmers have had to jump through all sorts 

of hoops to get their timing right. Luckily, we 

now have things to look forward to. 


In The Present... 


Before we can truly see the value of the new Timer 
class in .NET, we need to look at the resources 
available to programmers now. Currently program- 
mers have two or three alternatives depending on 
their language of choice. For C programmers, there 
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are Windows API timers and high resolution 
Multimedia timers. In addition to these, Visual 
Basic programmers have been able to utilise the 
Timer ActiveX Control. Let’s quickly look at each 
of these timers to see how useful they are. 


The Timer ActiveX Control 


The most basic and imprecise of all timing mech- 
anisms is the Timer ActiveX Control. This con- 
trol is sited on a form (now called a WinForm in 
Visual Studio. NET) and has some basic properties 
that can be set, including Interval and Enabled. 

It is invisible at runtime and several can be 
created in a control array. The minimum resolution 
for an ActiveX Timer is around 55 milliseconds 
(this is based on the system clock tick). We say 
‘around’ because it depends on when you start the 
timer as to how long the first tick takes to happen. 

The major downfall that overrides the ease 
of use is that it must be sited on a form. If you 
don’t use any forms in your application, then you 
can’t use this control, or you need to add a dummy 
form to use it. The second major problem is that 
the Interval property is a Short Integer, providing 
a maximum interval of just over a minute. 

However, when used in a Visual Basic project, 
the developer doesn’t need to think too much about 
system resources as all Timer Controls share the one 
Timer resource held within the VB runtime. 


Windows API Timers 


The Windows API timers are very similar to the 
Timer control but are code-only. This means that 
they can be used in projects developed in many 
different languages and in applications that have 
different interfaces (meaning console, windows 
forms, or no interface at all). 

Windows API timers utilise the Callback 
method and can be initiated as many times as you 
like. They're defined with a call to the SetTimer 
API function and can have an Elapse value (equiv- 
alent to the Interval property of a Timer control) 
of a Long Integer, and thus can track much longer 
periods of time. 

One API timer can be shared and service 
multiple processes by having it housed in an event- 
enabled DLL that raises events as it ticks over. The 
code can be a little intimidating for programmers 
who are inexperienced with callback functions, but 
it is a very valuable tool in a programmer's toolbox 
when considering the alternatives. 


Multimedia Timers 


Multimedia timers are the bees-knees for timing 
functions in the Windows environment. These 
enable a very fine resolution of one millisecond 
which is required for applications such as audio 
and video players (hence their name). 

Under Win9x systems, there is a limita- 
tion of 32 at any one time, but NT-technology 
based versions of Windows allow up to 16 in 
each separate thread. 

As pointed out, these timers have a much 
more accurate timing mechanism than the others 
but they can be a real pain to implement because 
of that very speed. There’s no chance of debugging 
the code that goes into a Multimedia timer, either 
stepping through the code or using statements 
like Debug.Print in Visual Basic will result in the 
program crashing or freezing because the timer 
wants to tick too often. 

The functions to use Multimedia timers are 
all housed within the winmm.dll. 

Like Windows API timers, implementing 
Multimedia timers requires the use of callback 
functions, but because of the fine granularity of 
the timer, only certain functions can be performed 
within the callback procedure, and besides certain 


Schedule Class - Where are you? 


Ironically, one of the classes we were going to dis- 
cuss this month was withdrawn from the latest Beta 
of the NET Framework. Schedules were an exciting 
addition in Beta 1, as they provided a way for pro- 
grammers to automate such tasks as Web updates, 
system utilities and other less frequent activities. 

There was complete documentation on Sched- 
ules, with Recurrence Patterns, Start and End Times, 
the ability to customise what days in the month or 
what months in the year the Schedule was to fire its 
EventOccurred event. 

This was quite a boost for those developers who 
faced this kind of scenario. Rather than having to 
write code to handle the different timing patterns and 
schedules, they could simply instantiate an instance 
of a Schedule class with the appropriate properties 
set to address their needs and voila! 

Despite the apparent removal of this class, it aids 
in educating us on one further topic — never count on 
Beta software. Remember, the product isn’t official 
until the final version is released, so features may be 
added, changed (in some cases quite dramatically), or 
even removed. 
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VPN-1 is easier to manage 


than two. 


Check Point’s integrated VPN-1™ and FireWall-1° solution is not only easier to manage, but 
ultimately more secure than two separate solutions. When integrated, the firewall and VPN 
share the same user, resource and policy information, to provide the highest level of granular 
access control and security. With the power of centralized management, integrated user 
authentication, consolidated logging, and the utmost in security, you get the best of both 
worlds. Which explains why we have more VPN and firewall installations than anyone 
else. To satisfy your security needs for today and all your tomorrows, download our white 
paper, “Integrated VPN/Firewalls” at www.checkpoint.com/vpn1 and ease your mind. 


CHECK POINT” 


Software Technologies Ltd. 


anz@checkpoint.com ph: 1800 245 768 
©2000 Check Point Software Technologies Ltd. VPN-1 
is a trademark of Check Point Software Technologies Ltd. 


We Secure the Internet. 


timing in 


If you DO want to 
use the Windows 
timer, you'll find it in 
the System.Winforms 
namespace. 


-net 


MIDI and DirectX calls, the only function that is 
useful is the PostMessage API. 


To The Future... 


In the .NET Framework BETA 1, Microsoft 
introduced programmers to the System.Timers 
Namespace. This was to be a feature-rich name- 
space containing not only mundane Timers but 
also the much sought after Schedule object (see 
Schedule Class, Where Are You?, on page 20). 
However, with BETA 2, the Namespace has been 
made much lighter, and only contains the new 
Timer class. 

The Timer class itself is interesting however, 
as it gives easy access to fine resolution timers to 
all programmers. Effectively, the .NET Timer class 
is as easy to use as an ActiveX Timer control 
without the need to be sited on a Windows form. 
In addition, it has several minor additions that 
make it even more attractive to developers. 

Before we look at the details, we need to 
understand a little bit of theory. The .NET Timer 
is a Server-based timer. Server-based timers allow 
you to specify a recurring interval at which an 
event will be raised in your application. This is 
the same as with a normal Windows timer, but it 
allows a finer resolution. 

The standard Windows-based timer is still 
available and is optimised for Windows Forms appli- 
cations, while Server-based timers are an update of 
the traditional timer and have been optimised to run 
in a server or multi-threaded environment. 

To describe this another way, Windows 
forms use UI threads, which are basically idle for 


Diagram 1: System.Timers Hierarchy 


The System.Timers Hierarchy is a very simple structure as you would expect. In fact, the only 
reason it is so complicated is because it follows the standard hierarchical structure that is in 


place for all System Namespaces. 


most of the time, waiting for messages to arrive in 
their message loops. Server-based processing uses 
worker threads. These threads don’t use message 
loops and are used for background processing. 
This means that they are designed for different 
purposes — Windows-based timers are for single- 
threaded event-based environments, Server-based 
timers can move among threads to handle raised 
events from multiple threads. 

Microsoft recommend that you use the Win- 
dows timer for WinForms-based applications, and 
System.Timers.Timer objects for everything else. 
In reality, it provided properties in the 
System.Timers to allow you to synchronise them 
toa WinForm so if you would rather just learn and 
utilise one type of timer you can. 

If you DO want to use the Windows timer, 
you'll find it in the System.W informs namespace. 
One last thing about this timer — it has the same 
resolution as the old ActiveX control and the Win- 
dows API timers — approximately 55 milliseconds. 


System. Timers. Timer 


Now for a look at the heart of the matter — the 
new System.Timers.Timer class. Microsoft 
describes its function simply and mostly accu- 
rately as “generating recurring events in an 
application”. We say mostly because, as it turns 
out, one of the new features is the ability to stop 
the timer after the interval has elapsed. 

Besides this feature, the developer can now 
use the Enabled property or the new Start and 
Stop functions to control the execution of the 
timer, and also synchronise the timer to a particu- 
lar object, thus making it usable on Windows 
Forms. Let’s look at these features in more detail. 

The AutoReset Property: Until now, all 
timers had one potential problem — when the 
interval had passed, the timer would raise its version 
of a ‘Tick’ event and carry on. If this processing went 


© Object on too long, the ‘Tick’ could occur again and cause 
O Attribute the code to jump in an unexpected fashion. 

= DescriptionAttribute This was particularly the case with Multime- 

¢ TimersDescriptionAttribute dia timers and API timers. It’s not uncommon to see 

O Delegate that the first command in a Tick event of an API 


= MulticastDelegate 
e ElapsedEventHandler 


timer is the one disabling the timer, with its pair, the 
re-enabling of the timer, at the end of the Tick event. 
O EventArgs 
= ElapsedEventArgs 
O MarshalByRefObject 
= Component 
© Timer (ISupportlnitialize) 


.NET Timers allow you to get around this 
with the AutoReset property. When true, the 
timer acts much like its predecessors — once the 
interval has passed, the timer resets itself and 
starts counting again. However, when AutoReset 
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is set to false, the timer disables itself once the 
prescribed period of time has passed. 

By default, this property is set to true so 
that the timer continues to tick just as in previous 
incarnations of timers. AutoReset should be a big 
enough attraction for WinForms designers to 

: ignore Microsoft since the WinForms timer does 
Another benefit NOT have this property. 
in using the .NET The Enabled Property: Enabling the 
timer starts the clock ticking. Disabling pauses it. 
Well, that’s not strictly true. The timer continues 
ability to change the to tick regardless, but the Elapsed event is not 
raised. This can be an important distinction to 
make, as the system is still processing with the 
the timer is enabled. overhead of the timer, it just won't raise the event. 

Developers can use the Enabled property in 


Timer then, is the 


Interval even when 


conjunction with the new AutoReset property. The 
procedure would be something like this: Set the 
Interval of the timer to the desired time period, set 
the AutoReset property to False, and the Enabled 
property to True. The timer would raise the first 
Elapsed event and then stop. At the end of the 
Elapsed event when all processing has taken place, 
the program can simply set the Enabled property to 
True again to start the ‘single tick’ process again. 
The Interval Property: Much the same as 
the Interval property on the control, this value is 
measured in milliseconds. The default value of the 
Interval property is 100 milliseconds. The Interval 
can be set as low as 1. Setting it to 0 will result in 
the timer not firing the Elapsed event, while neg- 
ative values result in an ArgumentException error. 
One vagary of previous timers was the 


potential problems that could occur if a program 
changed the interval while the timer was still pro- 
cessing. Another benefit in using the NET Timer 
then, is the ability to change the Interval even 
when the timer is enabled. 

Be aware that when the Interval is changed in 
this fashion that the count is effectively restarted. As 
an example, if the timer was originally set for an 


Diagram 2: System.Timers Namespace 


The System.Timers Namespace contains three classes and one delegate: 

* ElapsedEventArgs — Provides the data for the Elapsed event. The only property in this 
argument list is SignalTime. 

* Timer — Generates recurring events in an application. 

* TimersDescriptionAttribute — Sets the description that visual designers can 
display when referencing an event, extender or property. Has two properties; Descrip- 
tion and TypelD. 

* ElapsedEventHandler (delegate) — Represents the method that will handle the 
Elapsed event of a Timer. 
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interval of 10, and it was up to a count of 5, and then 
the application changed the interval to 20, the count 
would be reset to 0. This would mean the total time 
between Elapsed events would be 20 + 5 = 25. 

The SynchronizingObject Property: This 
is the most important property when considering 
Windows Forms applications that integrate the 
timer into their design. By default, the Synchro- 
nizingObject property (defined by the Isynchro- 
nizeInvoke Interface) is a null reference (Visual 
Basic would term it Nothing). 

When this property is a null reference, the 
method that handles any Elapsed events that are 
raised by the timer is actually resourced from the 
system-thread pool. Trying to use the system- 
thread pool when the Elapsed event is supposed 
to be handled by a visual Windows Forms com- 
ponent such as a Form or a Button, can result in 
crashes, errors being raised, or the Elapsed event 
may simply not be raised. 

To avoid this, the SynchronizingObject 
should be set to point to a Windows Forms com- 
ponent, so that the event handler method for the 
Elapsed event will get the call on the same thread 
as the component. This minimises the risk of 
crashes and errors and ensures that the Elapsed 
event will be raised in the appropriate place. 

WinForms developers need not fear this 
potential problem because if the System.Timer is 
used in Visual Studio.NET on a Windows Form, 
the SynchronizingObject property is automatically 
set to the control that contains the Timer. As an 
example, if a timer was added to a form designer 
called Form1, the SynchornizingObject property 
would be set to an instance of Form1. 

The Start and Stop Methods: The Start 
and Stop methods are the new way of having a 
component begin or end its processing. Rather than 
have a single Property that you set to true or false, 
a programmer is meant to use proper methods. It is 
better implementation object orientation principles 
and even from a logical point of view it seems much 
clearer when code says Timer.Start rather than 
Timer.Enabled = True. 

Please understand that there’s nothing differ- 
ent between those two preceding statements, nor is 
there a difference between Timer.Stop and 
Timer.Enabled = False. However, this is the direc- 
tion that the .NET languages are headed, so why 
Not start to code your programs in a consistent stan- 
dard so you (and others) can maintain them later on. 

The Elapsed Event: The Elapsed event is 
raised when the interval specified has passed. This 
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timing in -net 


In one thread you call 
the Stop method of 
your timer, but in the 
meantime, in another 
thread, the Elapsed 
event is raised again. 


is the only important event in the Timer class (the 
other is the Disposed method which is common to 
most .NET classes) and is where your program can 
act out whatever processes you need to perform on 
a time-based system. 

With the AutoReset property set to False, 
once the Elapsed event has been raised once, the 
timer is automatically disabled and needs to be 
re-enabled by setting the Enabled property, or 
using the Start method. 

This is also where one potential problem 
could occur if you’re not careful. Remember we 
said that the .NET timer is server-based, and 
that server-based timers are multi-threaded? 
Think about this scenario: in one thread you call 
the Stop method of your timer, but in the mean- 
time, in another thread, the Elapsed event is 
raised again. 

Sounds like a problem? Well it can be, 
especially if the program expects that the Elapsed 
event won't occur again and has cleaned up 
various bits and pieces of data that the Elapsed 
event depends on to function correctly. 

To avoid this conflict, the Elapsed event 
has a parameter called SignalTime. SignalTime 
is a DateTime property that contains the exact 
time that the Elapsed event was raised. If an 
application could get into trouble if it tries to 
execute the Elapsed event-handler routine after 
it has issued a Stop command, the event- 
handler should have additional code comparing 
this SignalTime value to the time that the Stop 
command was issued. If the SignalTime is after 
the Stop method, then the rest of the code can 
be ignored. 


Conclusion 


Compare the code samples we've included in this 
article and you'll find that the usage of the timer is 
not too far off that of the timer mechanisms you're 
used to. You'll find that a lot with the .NET 
framework despite the huge outcry of how differ- 
ent the .NET languages are to their predecessors. 

What we have to look forward to is a viable 
alternative to the horrid complexity of existing 
multimedia timers. Server-based timers in the 
-NET world can be used for any of the purposes 
we've discussed here, and are just as easy to handle 
as the ActiveX control currently is for Visual 
Basic programmers. 

Regardless of your language of choice, 
you now have an easy way of keeping track of 


time in your programs. Now’s there’s no excuse 
for you to be late! 


Andrew Parsons is an Australian-based writer and 
Visual Basic programmer. He has been a professional 
programmer for 12 years, with the last three being 
devoted to Visual Basic. Currently, Andrew works 

on a retail product written completely in Visual 

Basic that has given him an intimate knowledge 

on the ins and outs of how to get things to work 

in a Visual Basic environment. 


Diagram 3: System. Timers. Timer 


The Timer class is where a developer will need to 
concentrate. The only remaining classes after 
Microsoft culled the Schedule ones are subordinate 
to your Timer class. This is its full class structure: 


Constructors 
Timer Constructor 


Properties 
AutoReset 
Container 

Enabled 

Interval 

Site 
SynchronizingObject 
DesignMode 

Events 


Methods 
Beginlnit 

Close 
CreateObjRef 
Dispose 

Endlnit 

Equals 
GetHashCode 
GetLifetimeService 
GetType 
InitializeLifetimeService 
Start 

Stop 

ToString 

Finalize 

GetService 
MemberwiseClone 


Events 

Disposed 

Elapsed 
———— 
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Vijay Varadharajan 
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Macquarie University. 
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and Networked 
system Security 
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Board Director of 
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Professor at the 
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rior to this, Professor Varadharajan was the 
P Foundation Professor and Chair of Comput- 

ing and IT at the University of Western 
Sydney, Australia, from January 1995 until 
February 2001. He was also the Head of School of 
Computing and IT at the University of Western 
Sydney, Nepean and the Director of the Distributed 
System and Network Security Research. 

Prior to taking up his most recent appoint- 
ment, Professor Varadharajan was responsible for 
worldwide Security Research at corporate Hewlett- 
Packard Labs based in Europe. He has worked also 
with various HP Divisions in the US, UK, 
Germany, France and Italy. He had been with 
HP since 1988. Other postings include Research 
Manager at BT Research Labs, and Research Fellow 
and Lecturer in Computer Science at Plymouth 
and Reading Universities. He obtained his PhD in 
Computer and Communication Security in 1984 
under sponsorship from BT Research Labs. He 
spoke to Systems Developer in early July. 


{This is a chair sponsored by Microsoft; my 
role is defined in partnership with the University and 
Microsoft. The objective is designed to be beneficial 
to the technology and to the discipline in general. 

In particular, my role is to enhance not the 
products, but the product concepts that Microsoft 
is interested in, and specifically, to create a 
research laboratory into .Net security. The .Net 
framework is a high level view. My focus is on 
distributed systems security technology.] 


_Q: What specific projects is the laboratory 
_ involved in? 


A: The fundamental issue in distributed applica- 
tions is how you authorise and authenticate across 
multiple applications. 

In the current state of the art, we understand 
how technology for authentication works. And there’s 
enough technology out there, in principle, to solve the 
problem — there was enough technology, for example, 
for Microsoft to launch Hailstorm and Passport. 

So where we're going here is to create a test 
laboratory for distributed authentication across 
multiple platforms. 


nbuting Applications 


Passport is new, so our objective has to be to 
ensure that it’s secure, heterogeneous, and effi- 
cient. The real game is authorisation and my focus 
is to understand and develop authorisation ser- 
vices, particularly to work on .Net. 


{ Q: What makes authorisation difficult? 
| A: Authorisation poses a challenge: the privileges 


are very granular and very fluid. Privileges can vary 
by circumstance, time, location and so on. . . so 
the question is how do I manage these across the 
Internet for different applications? 

At the 1999 Comdex, Bill Gates talked 
about the personal profile as an enabler to the “per- 
sonal Web” — a repository that the user can access 
from anywhere. And that repository can be viewed 
differently according to user or application. 

The key to it is an authorisation service — 
where do you put that service? It has information, 
it has managing authorities; and it needs to iden- 
tify applications, information, and the location of 
those applications and information. 

So there will be multiple servers — including 
Microsoft authorisation servers — and we will also need 
meta protocols for communication between them. 


—Q: A lot of visions focus on authentication 
| between applications. How does one applica- 


tion authenticate itself to another? 

A: Most authentication issues are application-to- 
application. If I have an accident, I will call for a 
doctor close-by — that doctor passes me to a clinic, 
the clinic checks medical insurance and so on. 

All of this is application-to-application — 
most services involve application-to-application 
communications. And further, applications can 
quite easily behave like users. 


| Q: How do you distinguish between the 


malicious user, and the innocent user whose 

application has been hijacked? 

A: There is a distinction. Where the application is enti- 

tled to access information, the user has to be protected. 
Protecting the application is an access con- 

trol issue for the application — who can access it, 

move it, Copy it, execute it; these are operational 
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issues for that application. Say I’m a user provid- 
ing false credentials — this is an authentication 
problem. There is a difference between them. 

But in terms of techniques, the questions 
are: how do I know you are Richard? How do 
I prevent you from hijacking an application? 
This is fundamentally difficult as applications 
become mobile. 

Let’s look at a scenario: I am John, and 
using application one I call application two, and 
application two returns information. Applica- 
tion two says “who is calling?” — Can it say for 
sure “this is application one”? Is application one 
allowed to make this call? 

Really, application one is acting on behalf 
of John, so John can do it but Jane can’t. 

Now, extend this: application one moves 
to another host. One application traditionally 
assumes that it can trust another, when the 
application moves we're losing that trust. If 
the application moves, it’s hard to say whose 
behalf the application is acting on. 

So the challenge is to ask, “is this a rogue 
application?” What guarantee does one application 


have that, when it moves, another application 
won't interfere with it? 

The principle is that no server should be 
able to tamper with my application. 


re: So applications that move are more at risk? 

A: Yes, and there’s no solution to the malicious 

host at the moment . . . how can you protect the 
agent from the malicious host? The application 
executes at the server, and then the server has 
complete control. The application is vulnerable 
— the server can mess things around. 


be 

| Q: We also need to distinguish between indi- 

| viduals and roles, don’t we? 

/ A: The authorisation service needs to deal with a 
variety of policies — first, John, then, John as an 
accountant. There are two mappings, the person 
as, say, a purchasing manager, then the privileges 
attaching to the purchasing manager. 

These change and move at different rates. 

In some sense, John’s role comes from the 
organisation . . . mapping role to privilege is 
organisational, but roles and privileges reside in 
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interview 


different databases. Role is more efficient than 
access control lists... 

I'll go further than that. Let’s talk about the 
different kinds of policies. 

1) Delegation — me, or my role, or a subset 
of my role. 

2) Joint actions — hospital admissions, the 
GP, the specialist, the insurer, the admin- 
istration. These are roles; the joint action 
policy demands all okayed the decision. 


6¢ 
... the IT people are still a long way from simplicity. Application 
integration on XML and http is the right vision. 
93 


3) Commercial, the separation of duty — this is 
interesting, when companies partner. A 
works with B in one project, A competes 
with B in another project. This is a dynamic 
separation of duty. Once I choose ‘work for 
A’ then the Chinese wall comes into play .. . 

But it changes over time . . . you have to identify 
role, delegation and joint action, all of these 
change with time. 

B 

Le: Is this too complex to administer? 


e 


_ A: This is driven by business requirements. The 


rm 


current state of the art is to administer identities 
in ACLs and simple roles. Applications are going 
to exist where different users with different views 
will need to make joint decisions . . . 

I was involved in setting down requirements 
for the healthcare sector in Cincinnatti. We had 
stringent security including delegation. It boils down 
to the requirements in different business segments. 

Remember that the outcome of a project 
may be success or failure. What about failure? If 
the project fails, I want to make sure the former 
partner is not in an advantageous position because 
they still have access to information that should 
only be available while the project is current. 


Q How does that change administration at 
_ ground level? 
A: Remember the rules of security: 

1) There’s no absolute security. What we 
try to do is meet most of the needs most 
of the time. 

2) Simple administration is crucial. 

3) If something goes wrong, you need to 
know — pronto. 


That’s why when vendors like Microsoft find a 
hole, we make sure we respond in an effective and 
timely manner, and get the fixes done . . . crime 


happens, but on the whole, life remains safe. 


Q: Can these policies deal with exception han- 
P dling? What if the patient needs action now, but 
/ someone on the joint action list isn’t available? 

A: In practical terms, we're a long way 
away from answering this. In the design world, 
you call it a failsafe . . 
failsafe is to make sure that when it aborts, the 


. one of the keys to the 


state of the system doesn’t reveal anything. 

The military world knows this and 
worries about it... it is possible to do failsafe 
systems, but it’s very expensive to design them 
and to prove that they are failsafe. Such systems 
are difficult to design and difficult to prove. 
The commercial world therefore says failsafe 
systems are not for everything — for a ten-dollar 
transaction it’s not an issue. A sense of reality in 
security is a good thing. 

That’s one reason why .Net is interesting: 
distributed applications and standardised proto- 
cols have been simplified. 

But at the end of the day, the IT people are 
still a long way from simplicity. Application inte- 
gration on XML and http is the right vision. 


@ Will we ever be able to place confidence in 
travelling executables? 
A: At the high level you can tag code for integrity. 
Moving down, the question is do you allow inter- 
mediaries to modify code? 

If the answer is yes, you have to learn to 
cascade the tags. If there are changes happening 
as the agent moves, you create a tag each time. 
Then, tag management becomes an issue. 

At the application level, the issue relates to 
mobile agents, and at the network level, it’s the 
so-called smart packet. 

There are ActiveX signcodes, or Sun applet 
signcodes — so you can put cryptography to work 
here. But the key issue is “who can change, who 
can tag, who can verify?” 

One of the keys here is the potential for 
denial of service. You don’t want the intermedi- 
aries to start changing the packets. And you 
can’t change packet structures without the agree- 
ment of the IETF and other standards bodies. 


Richard Chirgwin is group editor IT&T at Informa. He 
can be contacted at richard.chirgwin@informa.com.au. 
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Insure++ is an automatic runtime error-detection 
tool for C/C++ applications; it detects a variety of 
problems, including memory corruption, memory 
leaks, pointer errors and |/O errors. It works like an 


Runtine: Executed “badpara2” on vulture, pid=10262 
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to see full error explanations and stack trace information. 


X-ray machine, automatically exposing hidden 
defects. When you test your code with Insure++, 
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Insure++’s latest breakthrough technology - 
Chaperon - allows you to detect errors without 
recompiling or relinking. For situations that call for 
a quick overview of your code, Chaperon gives you 
a fast, accurate analysis while uncovering extremely 
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“Fingures will easily § Save US s weeks of debugging time and ; 
strongly recommend it to anyone doing development on Linux.” 
— Michael Babcock, Jim Henson’s Creature Shop 


complex errors such aS memory leaks, memory 
reference errors and memory corruption. In 
addition to testing with Chaperon, you can check 
your code using Source Code Instrumentation. This 
feature performs a detailed, comprehensive code 
analysis that flushes out the most subtle errors - 
errors that take the most skilled developer weeks to 
find. To further speed up your debugging process, 
Source Code Instrumentation employs coverage 
analysis, enabling you to track the progress of your 
code testing. 


Multi-Platfrom 


There’s no question of Insure++ affecting your 
development cycle. Insure++ is available on all 
major UNIX platforms, including Linux, AIX, DEC, 
HP, SGI, and Solaris. On UNIX, you can install and 
run Insure++ with a few simple commands and 
instantly find bugs. If you develop on Windows, 
you can integrate Insure++ into Microsoft 

Developer Studio®. 


Australia’s Major Distributor of Programming Tools! 
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GigaHlertz Processors - 


Getting Bang for the Buc 


Super-fast 
processors are 
starting to emerge; 
but it takes a little 
more effort than 
just putting the 
chips in to get 
them to cook. 

By Carlo Kopp. 


Je 


he recent emergence of processor chips 

with clock speeds in excess of a GigaHertz 

has been a major advance for the industry. 

There can be no doubt that the availability of 

commodity chips with 1.7GHz clocks provides an 

unprecedented gain in the performance potential 
of systems, and thus applications. 

The massive improvement in compute 
performance potential is paralleled by an ongoing 
decline in the cost of memory, and especially disk 
storage. The technology of GMR disk heads has 
pushed the capacity of the commodity $300 drive 
into the tens of Gigabytes, outstripping the 
capacity of most backup tape technologies. 

Actual performance is, however, distinct 
from ‘performance potential’, since poor design 
and implementation of applications may see even 
GigaHertz clock-speed processors yield little 
return in achieved performance against their 
siblings of half a decade ago. 

In this month’s issue we will explore what 
impediments exist to the extraction of the full 
performance potential in this generation of 
processors, and discuss what strategies a developer 
can pursue to extract as much bang as possible 
from the available bucks. 


GigaHertz Processors 


The biggest breakthrough contributing to the 
breaking of the 1GHz clock-speed barrier was the 
introduction, last year, of copper metallisation fab 
technology. After many years of research IBM 
cracked the problem of how to replace aluminium, 


the mainstay until then of on-chip wiring. More con- 
ductive copper reduces series resistive in the wiring 
on the chip, in turn reducing RC delay effects. 

The first processor to utilise this technology 
was AMD’s Athlon, soon followed by the Pentium 
IV. We can expect to see most of the mainstream 
chip manufacturers shift to copper over the next 
year or two. 

A commodity microprocessor in this class 
will have tens of millions of transistors on chip, 
clock speeds between 1.0GHz and 1.7GHz (this 
year) and a six- to nine-way superscalar architec- 
ture incorporating capabilities such as speculative 
execution and out-of-order execution. More than 
likely, a four- to eight-way set associative Level 2 
cache or up to 256kB will be integrated on the 
chip die, as well as a Level 1 cache of up to 128kB. 

The machine is likely to be using a 64-bit 
or wider system bus to main memory running at a 
clock speed between 100MHz to 400MHz, 
depending on the chipset in use. 

By any measure, such machines have for- 
midable performance potential if properly 
exploited. Since performance scales in part with 
clock speed, but also with the degree of super- 
scalarity in the CPU, and the hit ratio of the 
CPU caches, for many applications such chips 
will yield performance gains greater than the 
ratio of its clock speed against the clock speed of 
a sub 1GHz chip of similar architecture. 

Superficially, this would suggest that we 
can safely assume that if application X running on 
operating system Y delivers Z amount of perfor- 
mance, going from a 700MHz CPU to a 1.4GHz 
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CPU should halve either the achievable response 
double the 
speed/workload of non-interactive work. 


time in interactive work or 

Careful examination of published benchmarks 
suggests otherwise, with the scaling in benchmark 
figures with clock-speed ratios falling short of the 
ideal N-fold improvement in performance. 

To an observer not well versed in machine 
architecture, this seeming incongruity might 
appear to be puzzling. To understand why this 
arises, we must delve a little deeper. 


Let us assume an ideal world — perhaps a dangerous 
form of speculation! In this world the application 
and operating system are always resident in the 
CPU’s internal on-chip caches, and the binary exe- 
cutable code created by the compiler is dominated 
by instructions which are not mutually dependent. 

In this ideal world, the GigaHertz processor 
will chew through the stream of instructions in the 
application at its peak achievable throughput almost 
all of the time. Of the N execution units in the CPU, 
nearly all of the N will be active all of the time. 

As the application is always resident in the 
cache, in an ideal world model, every instruction 
fetch sees the nanosecond class access time of the 
cache, rather than the tens of nanosecond access 
times of the main memory. Therefore, the CPU 
sees an uninterrupted stream of instructions and is 
never stalled for want of instructions to process. 

Reality, however, might be very different. 
Superscalar architectures can execute at peak output 
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only when the code they are executing contains few 
instructions with mutual dependency. Whenever 
an instruction is dependent upon the results of a 
previous instruction, there is potential for perfor- 
mance to be lost. Computer architects use the term 
‘Instruction Level Parallelism’, or ILP, to describe 
the property of executable code whereby little 
mutual dependency exists between instructions. 

A particularly troublesome situation for 
superscalar processors is branching, since waiting 
for the outcome of a branch has the potential to 
empty the internal pipelines in the CPU, incur- 
ring significant latency times to refill. 

Commodity processors contain numerous 
design features aimed at exploiting ILP and also 
avoiding these stalls. Speculative execution is 
perhaps the most popular such technique in 
modern processors. At the cost of considerable 
complexity in logic, supportable due to the large 
transistor counts available, the CPU will prefetch 
and execute both outcomes of the branch instruc- 
tion and discard the outcome which is not used. 
The difficulty with speculative execution is that 
the problem becomes intractable where consecu- 
tive branches are found. 

Consider a piece of code in which four or 
five branches are nested. The first branch state- 
ment results in two paths to speculatively execute. 
Each consecutive branch doubles the number of 
instruction streams, from two to four, four to 
eight and so on. The logic handling speculative 
execution must prefetch instructions for each of 
these streams. In practice this imposes limits on 
how far the CPU can ‘look ahead’ into the code 


Superscalar 
architectures can 
execute at peak 
output only when 
the code they are 
executing contains 
few instructions 
with mutual 
dependency. 
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and speculatively execute. Once that limit is hit, 
the CPU stalls waiting for the resolution to the 
pending branch operation. 

The difficulty with the ILP problem is 
that mutual dependency between operands in 


instructions is very frequently implicit within 


CPU caches, be they combined data/instruction 
caches, or Harvard architecture or split caches 
with dedicated data and instruction paths, is to 
hide the poor performance of the main memory. If 
the instruction or data is resident in the cache, it 
can be accessed within a clock cycle or two, if not, 
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The issue of cache performance is no less daunting with a very fast CPU. 


the algorithm being used. Therefore no amount 
of compiler optimisation or other clever trickery 
can beat the problem. 

Within any ‘soup’ of instructions found ina 
binary module, there will be threads of instruc- 
tions with mutual dependency, and these in effect 
form critical timing paths for the algorithms 
being used. The problem is fundamentally the 
same as the critical path problem seen in any 
PERT chart. 

The push toward Very Large Instruction 
Word (VLIW) architectures such as Transmeta 
Crusoe and [A-64 is an attempt to grapple with 
this problem, by pushing the instruction schedul- 
ing problem out of the hardware and into the soft- 
ware. The basic idea is that the bigger the block 
of instructions the CPU can explore, the more 
opportunities will exist to keep the CPU’s execu- 
tion units busy with instructions which are not 
stuck along a critical scheduling path. 

The issue of cache performance is no less 
daunting with a very fast CPU. The aim of all 
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then the CPU has to wait for the data or instruc- 
tion to be found in the main memory. 

The classical metric of cache performance is 
the ‘hit ratio’, or the ratio of cache accesses that find 
the data or instruction in the cache, to the total 
number of accesses. A cache design which matches a 
program well will deliver hit ratios well above 90%. 

Machine architects like to use a simple met- 
ric for measuring the impact of cache hit ratio, the 
‘average memory access time’. This time is calcu- 
lated by adding the proportion of ‘hits’ times cache 
access time, to the proportion of ‘misses’ times 
main memory access time. The higher the hit 
ratio, the closer the ‘average memory access time’ 
is to the desired (very short) cache access time. 

A good example might be a 5|00MHz CPU 
which uses a two nanosecond cache and a 50 
nanosecond main memory. If the cache hit ratio is 
99%, then the ‘average memory access time’ 
comes in at 2.48 nanoseconds. Even a 1% ‘miss 
ratio’ results in a 24% performance loss against 
the ideal 100% hit ratio situation. 

If the hit ratio is further degraded, say to 
50%, then the ‘average memory access time’ 
becomes 26 nanoseconds. This is a 13 fold increase 
against the ideal 100% hit ratio situation! 

The interesting point then becomes that of 
what it is costing in ‘real’ terms. If we assume the 
CPU can execute an instruction in two nanosec- 
onds average time, then in 50 nanoseconds that 
CPU did not execute 25 instructions, while it was 
waiting for the stalled fetch to be resolved. 

What then happens if the CPU is a genuine 
‘GHz class processor’ with a clock speed of 
1.5GHz, but the same order of magnitude 50 
nanosecond main memory? The cache access time 
is much shorter, at 660 picoseconds or 0.66 
nanoseconds. With every stall resulting from a 
cache miss, the CPU idles while no less than 76 
instructions are not executed. 
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While the issue of ILP is important for 
GigaHertz processors, the performance of the 
cache architecture is a ‘do-or-die’ issue. 

The problem of speed disparity between 
caches and main memories will only get worse 
over time. This is because the economic driver in 
the DRAM market is density rather than speed. 
Moore’s Law being what it is, we see CPU clock 
speeds and thus cache speeds increasing by a 
factor of about ten every decade. Yet over the last 
decade we have seen DRAM speeds increase 
roughly by a factor of two to three. 

Around 1990, a typical ‘hot’ CPU ran at 
5O0MHz and DRAMs had typically around 70 
nanosecond access times, yielding a ratio of about 
3.5 for typical commodity hardware. In 2001, a 
typical ‘hot’ CPU runs at 1.5GHz yet commodity 
DRAMs have typical access times of 30-50 
nanoseconds, yielding a ratio of about 45-75. 

Therefore the disparity between cache and 
DRAM speeds has grown by a factor of 13 to 21 times. 

Some confusion may result from contempo- 
rary marketing terminology surrounding the use 
of newer technology ‘synchronous’ SDRAMs. Such 
DRAMs are designed for burst mode operation, 
where the access time for consecutive locations in 
the burst is typically between seven and 12 
nanoseconds for current technology. However, the 
snag is the initial latency in the SDRAM access, 
which is still somewhere between 30 to 50 
nanoseconds for commodity hardware. 

If the CPU has experienced a cache miss and 
is stalled, then it does have to wait the full 30-50 
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nanoseconds before the main memory responds. 
This is the nature of a cache miss. 

Many tricks are used in modern architec- 
tures to avoid misses, and the whole idea of 
SDRAM techniques is to exploit smart CPUs 
which will prefetch instructions and try to per- 
form speculative execution. The idea is of course 
to pipeline the main memory so that it is busy 
fetching instructions all of the time. 

However, if the prefetch logic doesn’t know 
where to prefetch from, for instance as a result of 
the ‘multiple branch’ scenario saturating the spec- 
ulative execution control logic, then the cache 
cannot be prefilled and a cache miss will arise. 

So we are back to the basic and fundamental 
problem of cache hit ratios and ever growing dis- 
parities between the speeds of caches and DRAMs. 

The basic conclusion to be drawn here is that 
the ‘cost’ of a cache miss will continue to increase 
over time as Moore’s Law continues to drive CPUs 
along their much steeper performance growth curve. 

Where does this leave the system developer? 


Beating the Cache/DRAM 
Disparity Problem 


Competitive pressures in the commodity computer 
market have seen significant improvements in the 
architecture of x86 instruction set systems in recent 
times, nullifying much of the traditional advantage 
held by Unix workstations. 

During most of the 1990s, x86 systems could 
usually match the clock speeds of the flavour of the 
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The simplest 
approach for a 
developer is to 
benchmark the 
application against 
a range of CPU 
variants... 
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month RISC Unix machines, but were typically 
installed in motherboards with relatively primitive 
memory and system bus architectures. Therefore 
regardless of cache performance, the achievable band- 
width to memory was an ongoing problem for x86 
systems. By the end of the 1990s, AMD had licensed 
the DEC/Compaq bus developed for the Alpha and 
Intel have recently released their equivalent in P-IV 
based systems. Therefore in basic desktop or deskside 
systems, the performance issues will be firmly centred 
on the achievable cache hit ratio performance. 

Cache architectures have also seen serious 
improvements over the last two years, in a large 
part due to the availability of more transistors on 
the chip die. The biggest single step in the x86 
market was the last generation of the P-III series, 
which incorporated an on-chip 256kB eight-way 
set associative L2 cache with a full speed 256 bit 
wide bus between the L2 cache and the CPU/L1 
cache. It is reasonable to expect similar capabilities 
across the market over the coming 12 months. 

Cache hit ratio is a very complex function of 
the cache architecture and how it interacts with 
the program being executed. A machine architect 
has three basic parameters to play with: 


HM Cache size; 

Mi Cache set associativity, or how many sets 
of instructions with like low order address 
bits can be held; and 


Data Cache Hit Ratios - SPEC92 (R2000 Core/Harvard Cache) 


W@ Cache structure, whether it is shared 
between data and instructions, or split into 
dedicated instruction and data caches. 

What we see in commodity products is usually some 
balanced trade-off between three items, to maximise 
the performance of the design against a suite of 
benchmark programs such as SpecMarks, WinMarks 
and others. A clever designer will identify which 
benchmarks are most representative of market needs 
and bias his or her design in that direction. 

A developer is therefore largely exposed to 
what the chip maker's marketeers believe to be the 
most suitable benchmarks. If the application 
being developed doesn’t fit the ‘market template’ 
for that CPU design, the odds are that the full 
performance potential will not be exploited. 

There is still some choice left in the market, 
in that many CPUs can be bought with different 
cache sizes. Server or power user optimised CPU 
variants may be available with 0.5MB-, 1.0MB-, 
2.0MB- or even 4.0MB- to 8.0MB-sized caches. 

The simplest approach for a developer is to 
benchmark the application against a range of CPU 
variants and identify those which deliver signifi- 
cantly poorer performance. Assuming all else is 
the same, the smallest cache size of the machines 
which perform well will be the cache size which 
fits the application well. The very same argument 
can be applied to the operating system, should 
this choice be available to the developer. 


This, and the following plot, were produced 
using the ACS cache performance simu- 
lator, for a notional CPU employing a MIPS 
R2000 core and a Harvard architecture 


directly mapped cache of varying sizes. 
The traced package was the SPEC 92, 
4 and the four plotted applications were the 
most numerically intensive components 
of the suite. Note that the locality of the 
data was very poor, resulting in a need for 
data cache sizes in excess of 1 Megabyte 
for some of these applications. Systems 
which have >1 GHz clock frequencies and 
thus large disparities between cache and 
memory speeds will typically suffer a 
large performance loss where the cache 
hit ratio is poor. 


systems Developer August 2001 


Where the developer is producing a turnkey 
system, or is in the position to specify a target plat- 
form or CPU type, this model is practical and simple. 

For shrinkwrapped software products, espe- 
cially those targeted at desktop applications, this 
model is almost worthless. The user may be running 
one of many different variants of a commodity CPU, 
especially in the Intel/AMD market. 

In this environment, getting improvements 
to the cache hit ratio may require some clever 
manipulation of the application design, which is a 
non-trivial task. 


Tuning Applications for Cache Size 


In a given range of commodity CPUs, it is usually 
not difficult to visit the vendor’s Web site and 
establish what the cache architectures of the respec- 
tive CPUs are. The parameters of interest are: 

M What are the respective sizes of the L1 
data and instruction caches? 

HM What are the respective sizes of the L2 
data and instruction caches or the L2 
combined cache? 

Knowing these parameters for a range of CPUs, it 
is feasible to pick the lowest common denominator 
— the smallest L1 data and instruction cache size, 
and the smallest L2 cache size. Most machines use 
a combined L2 cache (although this may change as 
transistor counts go up). 


Instruction Cache Hit Ratios - S 


Armed with this knowledge, the developer 
must then explore the behaviour of the application. 

Most applications will spend much of their 
running time in a large event loop, scanning for 
inputs and then executing code modules which 
respond to these inputs. With suitable profiling 
tools and a bit of common sense, it is feasible to 
establish what proportion of time the application 
spends in which specific modules of the application. 

Once this is known, the developer can try to 
identify which modules are run most frequently, 
and how large their executable code, data and 


stack segments are. If the application is to achieve 
a high cache hit ratio, the code, data and stack 
segments must all be resident in the L2 and L1 
caches. Therefore to get best achievable perfor- 
mance, the most frequently executed modules 
should be cache resident. A poor cache hit ratio in 
an infrequently run code module may verge on the 
irrelevant. Conversely, a library routine which is 
being hammered in every pass of one or more 
loops should have a good hit ratio. 

The developer’s aim at this stage is 
exploratory — identifying which parts of the appli- 
cation are frequently run and likely to be mis- 
matched to the cache. 

A good example might be a status table on 
the heap or at the beginning of the stack. If it is 
known to be much larger than the L1 data cache 
or even the L2 cache, and it is very frequently 


PEC92 (R2000 Core/Harvard Cache) 
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... getting 
improvements to 
the cache hit ratio 
may require some 
clever manipulation 
of the application 
design, which is 

a non-trivial task. 
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accessed, the prospects are very good that it will 
experience a poor hit ratio. How poor a hit ratio 
will depend upon the locality of accesses, since it 
may well be that only a small fraction of the table 
is accessed very frequently and the rest ignored 
most of the time. 

A similar argument can be applied to a 
code segment. If that code segment comprises a 
fairly large loop, and is clearly much larger than 
the L1 data cache or even the L2 cache, the 


Once the developer has identified the problem areas in the 
application, the next step is to try and fix the problem. 


prospects are very good that it will become a 
performance killer. 

Once the developer has identified the prob- 
lem areas in the application, the next step is to try 
and fix the problem. 

Consider a piece of code sitting in a large 
loop, progressively working through whatever 
chores it needs to perform. Is there any reason 
why this large loop cannot be split into a series 
of shorter loops, each working on some part of 
the problem? Smaller loops that fit into the 
caches will do the same work faster than a 
large loop which continues to overwrite itself 
in the cache. 

Must the data set be held in an enor- 
mous array, if it can be split into a larger 
number of smaller arrays, each of which fits 


easily into the caches? 


In a sense, tuning an application for best 
cache performance is analogous to the tedious 
chores performed by database developers who 
must manipulate access patterns in a manner 
devised to minimise disk accesses. 

This can be a tedious and time consuming 
chore, especially if an existing application is to be 
hacked into something which performs better. Ifa 
new application is being written, the ground rules 
are simple — ‘smaller is better’ be it in the length 
of loops or the size of datastructures. 

Applying such a strategy intelligently 
will matter — only those chunks of code and 
data which are executed very frequently will 
return a good payoff in expended effort for 
performance gains seen. 

A final cautionary note is that shrinkwrapped 
libraries or operating systems with built in cache hit 
ratio problems are likely to frustrate even the most 
intelligent application tuning effort. 

For those who might be sceptical of the 
impact of cache performance, I can cite a simple 
example — a (cache) simulation application which 
ran much faster on a 180 MHz Pentium-Pro 
than a 400 MHz Celeron, both of which used a 
virtually identical core microarchitecture. 

Cache performance does matter! 


Dr Carlo Kopp is a former computer design engineer, 
embedded programmer, Unix systems programmer 
and a Unix systems consultant, with over 15 years 
of industry experience. He currently lectures in 
Computer Science at Monash University. He may 

be reached via carlo@pha.com.au or 
http://www.csse.monash.edu.au/~carlo. 
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Can We Trust Web Transactions? 


Imagine if your 
ATM transactions 
routinely stopped 
half-way through — 
if the machine gave 
you the cash but 
kept your card, for 
example. Why do 
so many e-business 
operations post 
flaky transaction 
systems? Richard 
Chirgwin reports. 
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ne of the great scare-statistics of the 
Internet is the oft-reported assertion that 
“four out of five Internet users who start 


filling a shopping basket leave without buying”. 

Certainly, if you've spent a million dollars 
on an e-commerce operation, that is a frightening 
thought. But at least “four out of five” is some- 
thing you can measure. And if you can measure 
something, you have the chance to act on it. 

A far more frightening thought is this: 
what about the people who tried to buy, but 
couldn’t because your systems broke somewhere? 

If you’re just like every other Internet oper- 
ation, you probably entrust the entire e-commerce 
strategy to the HTTP ‘POST’ command. 

Let me cite three examples, all of them from 
personal experience. In early 2000, I ended up 
speaking to the Webmaster at AMP reciting IP 
addresses to try and locate a lost order form from 
the insurance company’s Web site; last year, I 
ended up repeating an entire mobile phone order 
toa Telstra call centre operator, after filling in the 
Web form and waiting three days for nothing to 
happen; and this year, I found myself reading a 
confirmation e-mail back to a GIO call centre 
agent, after it became clear that the Java applet 
never put my claim into the system. 


Any time an order received by the Web site 
doesn’t reach its target, it’s going to cost money. Not 
analysts’ ‘TCO’ money, but real money: at best, 
you'll pay the price of fielding a phone call for a 


transaction that should have happened automatically 
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—and having increased the cost of a sale, you might 
lose the sale anyway. Or you may have to bear the 
cost of reversing a credit-card transaction because the 
goods weren't delivered. Or you might be selling 
software online, sending out a download but never 
processing the payment. 

And what if your operation is part of some 
kind of e-business supply chain? Lost orders don’t 
just disrupt your own business, they compromise 
the other participants in the supply chain, both 
upstream and downstream. 


Internet vs Sneakernet 


The received wisdom in the e-commerce vendor 
space is that if transactions break, it’s most likely 
because the site owner didn’t have an integrated 
system. In other words, if you handle incoming 
transactions by printing them out from the Web 
system and re-keying them into the line-of- 
business system, you're asking for trouble. 

Of course, there is a contrary view that’s 
just as valid: most companies have developed their 
paper processes over many years, while their Web 
processes are generally ad-hoc developments of 
days or weeks. Dr Kerry Raymond, distinguished 
research fellow at the DSTC, told Systems Developer 
that if your company understands its paper 
processes, the technique of printing out orders 
and processing them by hand might at least be 
more reliable than an entirely electronic process. 
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Integration of the Web with the back-end 
has been pushed hard and long by the vendor 
community — but even if you hook up the latest 
integrated e-commerce suites, it’s rash to assume 
that everything will work, all the time. 

Even a simple map of the transaction, from 
user to back-end system, serves to remind us how 
complex a purchase can be. 

The first thing that can break, of course, is 
the submit button itself — in this age of design- 
oriented Web tools, it’s far too easy for designers to 
overlook the compatibility question. If you don’t 
test the HTML code before you post it, you might 
never know that an order form that works fine in JE 
generates an error message in Netscape — or even 
worse, that it generates no error message at all, acts 
as if the order was submitted, and leaves the 
customer thinking that an order has been placed. 

Assuming the message leaves the client and 
reaches the Web server, it’s just reached the next 
possible break-point: the incoming form may hit 
an internal queue that’s too long and be dropped, 
or processing might be interrupted. If it’s a finan- 
cial transaction rather than a customer-service 
form, the SSL system may run out of legs. 

And then there’s the back-end connection: 
the transaction has to be passed to a database, 
or to a middleware environment which then 
flicks the message to what is hopefully a reliable 
line-of-business system. At any point where the 
message has to be processed and passed to 


Most companies 
have developed 
their paper 
processes over 
many years, 
while their Web 
processes are 
generally ad-hoc 
developments of 
days or weeks. 


web transactions 


somewhere else, messages can get lost; and any- 
where systems can get congested, the messages 
can be simply dropped. 

One of the first problems, according to Dr 
Raymond, is that many e-commerce implementa- 
tions rely on ‘black-box’ software. “To get the 
applications hosted quickly, people want to stick 
with off-the-shelf software,” she said. 

Because the people implementing that soft- 
ware didn’t write it, they probably don’t know all 
of its quirks, bugs or peculiarities; and, even more 
seriously, the off-the-shelf software may not fit 
well with the business logic behind it. 

It’s easy to assume that one system is issu- 
ing the right requests to another, she said, but if 
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... the confirmation page is probably counter-productive, 
since it gives customers a false sense of security. 
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the code that implements (for example) the Web 
server on one side and the business logic on the 


« 


other side aren’t visible, the “unintended conse- 
quences” are hard to predict. 

“If you’re using black-boxes, the only 
opportunity you have to confirm it’s working is at 
the interface, where you log the traffic going in 
and out of the applications. That way, you can 
attempt to track down where an order entered 
system A but never emerged.” 

That kind of logging is tedious; so is 
correlating and analysing events on either side 
of that interface; and even then, Dr Raymond 


points out, knowing which system failed in a 
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transaction doesn’t necessarily tell you how or 
why it failed. 


Thanks for Your Submission... 


Let’s stick with the obvious for a little while 
longer: the confirmation page is meaningless, 
since it says nothing except that the Web server 
saw something happen. 

The confirmation page means nothing 
more than the Web designer — who may have no 
programming training or experience at all 
right-clicked on ‘button properties’ or ‘form 
properties’ in a Web design tool and typed in an 
address for the page to be sent from. As Mercury 
Interactive field marketing manager Peter Lilley 
points out, the only thing a confirmation page 
guarantees is that “the Web server can read a 
name out of a cookie”. 

“The form only facilitates the first part of 
the transaction,” says James Scott, commercial 
director at Graham Technology. “It’s about 
automating functions rather than automating 
business processes.” 

In fact, if we’re talking about a serious 
site, trying to deliver real business transactions, 
the confirmation page is probably counter- 
productive, since it gives customers a false sense 
of security. 

Dr Raymond says that while it’s important 
that customers get feedback from the Web site, 
it’s just as important that the feedback means 
something. There are two faults common to most 
Web operations — the first is a ‘false positive’, the 
confirmation page that doesn’t relate the Web 
form to the back-end transactions needed to 
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complete an order; the second is that most oper- 
ations leave users unsure of what to expect. 

“The user is often unclear of the response 
they expect to receive — if nothing happens, what 
should they assume? There’s a design issue sur- 
rounding what the user should be aware of,” Dr 
Raymond said. 

Tony Cruise, managing director of Tasman- 
ian software company Neoteck, agrees. “The form 
post is just a request to the server. If your code is 
written properly, you don’t send a confirmation 
until you’re sure the transaction is stored in the 
database.” However, most sites don’t do such 
simple error checking. 


rather than with an unpredictable number of 
client connections. 

The downside, of course, is that by intro- 
ducing another point at which the transaction is 
handed off from one system to another, there’s 
also another place where a transaction can get 
lost. Cruise agrees, but emphasises that these 
sorts of vulnerabilities have to be dealt with 
in system tests. 

Apart from overcoming the assumption that 
the code in the HTML form can be trusted, Cruise 
highlights a couple of other vulnerabilities. For 
example, the Web transaction probably relies on 
SSL — and SSL is much less scalable and much more 
demanding on resources than the Web server. 


6 So here’s another variable: the Web server 
... bad implementations will leave secure sockets open can deliver pages at a given throughput, the 


database logs transactions at a different rate, 


| when a customer exits partway through a transaction. 


Even then, this change in procedure makes 
the user feedback issue tougher. By holding back 
confirmation until after the database has commit- 
ted a transaction, you reduce the risk of sending 
users a ‘false positive’ — but that means risking the 
sort of uncertainty Dr Raymond warns against. 

One defence against this is simple: good 
architecture. The database response will be quick 
enough, if the database itself can scale to service 
the incoming requests — and if the system compo- 
nents are segregated in a decent architecture. 
Cruise says many sites still host the Web server 
and the database server on the same machine, and 
since both applications are resource-hungry and 
self-tuning, it doesn’t take much of a workload 
before they’re starting to contend for resources. 

“If you're processing a Web server request 
and you want to store something to the database 
at the same time, there’s no getting out of the way 
that each request doubles the resources needed.” 

Since it’s probably under load that systems 
lose user data, Cruise adds that how you hand-off 
data from the Web server to the database also 
needs attention. 

“Lots of people are still using CGI scripts 
for this. They’re not scalable, because CGI starts a 
new process for each request.” 

Cruise advocates using a middle-tier data 
processing object to handle communication 
between the Web server and the database; the 
database server can be scaled to deal with the 
incoming traffic through a single open port, 


and the SSL server is different again. Anywhere 
the throughput is mismatched, you might intro- 
duce a fault. 

Badly implemented SSL environments also 
degrade the system’s ability to deliver transactions 
reliably, says Lilley. 

“One of the greatest culprits in performance 
degradation is security,” he said. In particular, 
bad implementations will leave secure sockets 


open when a customer exits partway through a 


transaction. Then, when new users open connec- 
tions, they add their own new socket connections, 
and even without the user load ramping up, the 
Web server becomes exhausted. 


The Integration Pitch 


The ‘lost transaction’ forms the basis for the pitch 
of vendors offering application integration systems, 
because as Mercator senior VP David Linthicum 
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says, “the problem arises with bad transacitonality 
with back-end systems . . . there’s no mechanism to 
recover from the typical errors that occur.” 
Mercator’s approach, he said, is to wrap the 
normal two-phase commit architectures around 
the Web-based service. “If something breaks the 
transaction, you roll it back and you let the user 
know that the transaction does not work.” 
Linthicum finds it strange that such loose 
procedures have grown around Web transactions 
when a far more vulnerable environment — the 
automatic teller machine — has had well-estab- 
lished processes for years. Why would a bank, for 
example, be able to design a process that prevents 
ATM transactions from incomplete success but 
allow Web transactions to abort half-way through? 
“If there’s a failure on an ATM, it fails com- 
pletely — the card is returned and the machine 
shuts down. If the transaction succeeds, it suc- 
ceeds completely. You don’t have a situation 
where the transaction half-way succeeds,” he said. 
The problem, says Graham Technology's 
managing director in Australia David Harvey, is 
that “very few commerce operations have any kind 
of realtime integration — it’s all smoke and mirrors.” 
To eliminate the ‘false positive’, an element 
of workflow is needed to make the integration as 


near to real-time as possible, he said. 


However, Lilley cautions against the view 
that integration environments and/or middleware 
systems will cure the whole problem. As with the 
Web server itself, he said, you need to understand 
the peculiarities of the systems you're dealing with. 
For example, he said, from experience testing 
Enterprise Java Beans in middleware environments, 
he says that people implementing transaction 
systems often don’t understand that these systems 
can be very bursty in their behaviour. 
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The technical issue here is to see whether or 
not the middleware components scale up and 
down in a linear fashion. 

“Surges are a very common performance issue 
in a multitier environment,” Lilley said. “The Web 
server is going fine, but the application server is 
busy, then it’s dead, then it’s busy.” This can be a 
simple of fairly simple configuration issues inside the 
middleware servers, he said, but if you don’t look for 
the problem you won’t know it’s happening. 


Back to Basics 


Cruise says many sites don’t do simple error 
checking, especially when Web operations are 
written under time pressure, by programmers 
who are more experienced with posting content 
than with writing code. 

“You should go through load testing,” he 
said, “and you should have a test plan in place 
for transactions.” 

At the very least, Cruise said, sites running 
customer transactions should log every request to 
the Web server, and the number of hits to the 
order page. That should then be regularly corre- 
lated to the number of entries in the database. 

“It’s fairly basic stuff from the old days, but 
I don’t see much of it in modern systems,” he said. 

The logging is particularly important when 
you're dealing with off-the-shelf software, as Dr 
Raymond pointed out, since you won’t have 
onsite access to people who understand the source 
code of your system. 

Test system vendors like Compuware and 
Mercury Interactive agree — naturally enough — and 
have also seen the insides of systems that don’t 
work. Jay Holmstrom, Compuware’s product man- 
agement director for enterprise testing solutions 
says that many Web developers run load tests, but 
miss the interaction between systems because they 
run those load tests on isolated systems. 

Holmstrom stresses the need to add func- 
tional testing as well, to run transactions from the 
user point of view, and observe whether activities 
initiated by site users produce the expected results. 

With the right test automation, Holmstrom 
said, “you can create a script to make the purchase 
and go through the checkout, and run that script 
on a schedule”. Then the success or failure of the 
transaction can be reported against the SLA. 

To meet the need for tests that can span the 
whole transaction, he said, vendors like Compuware 
are “looking at fitting things together more — 


Very few commerce 
operations have 
any kind of realtime 
integration — it's all 
smoke and mirrors. 
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At any layer, there are hundreds of statistics for you to look at — 
page faults, memory statistics, disk I/O ... so what do you monitor? 
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creating integrated packages that can run the trans- 
action, test its success, and report the response”. 
With a little forethought, Holstrom said, 
tests can be created that offer an accurate reflec- 
tion of how the system behaves: as well as 
submitting a transaction, for example, the test 
script can also query the database afterwards to 
identify the right record with the right timestamp. 
“The most common cause of failure is a time- 
out in one segment of the transaction,” Holstrom 
said, “there might be insufficient ports at the Web 
server or at the application server, for example.” 


2? 


It’s also important to create tests that reflect 
reality: for example, Holstrom asks, does a load of 
100,000 hits per day mean 4,000 hits per hour? 
Or does it mean 30,000 per hour for two hours a 
day, and a nearly-idle system the rest of the time? 

“If you have a usage model, you will learn 
more from the tests,” Holstrom said. 

Putting together these kinds of tests also 
overcomes the problem of trying to correlate the 
vast amount of information that might be logged 
at different points in a transaction. “The transac- 
tion might start at an Apache Web server, go 
through IBM’s DB2 Connect and back to a 
mainframe through MQ Series. 

“At any layer, there are hundreds of statistics 
for you to look at — page faults, memory statistics, 
disk I/O . .. so what do you monitor? You should not 
have to just believe that something is happening.” 

Lilley agrees. “What I see a lot is that 
applications have been functionally tested, but 
they fall apart either because of heavy load, or 
because the application changes with the 
passage of time. 

“It’s often not the day-one disaster, but the 
problem that emerges ninety days later — at a 
certain point, the user load grew too much, or 
the database is that much fuller and slower.” 

Ongoing testing will help identify what’s 
happening in cases like this, Lilley said, and will 
also help sidestep the ‘silo-ing’ that often causes 
problems in the first place. 

“The more critical the large-scale system, 
the more likely it’s built of different components, 
each with different ownership. Each of the 


components can be running at 100%, but the 
customer transaction is still failing. 

“Each of the different groups in the silos has 
their own performance targets or SLAs, and these 
are expressed in terms like availability, utilisation, 
latency and so on.” 

All of these metrics, Lilley says, derive from 
a defensive intent: rather than demonstrating that 
the transactions are working properly, they let sys- 
tem admins say “look, I’m doing my job properly”. 

So the Web server is tested for hits per 
second, the database tested for transactions per hour 
and so on, and everybody claims their systems meet 
their performance guidelines. 

“As a result, there’s a silo mentality to load 
testing. Without a customer perspective, it’s rare to 
find anyone who owns transaction fulfilment,” he said. 

“Rather than saying ‘we can support X 
users’, the objective should be that ‘with 100 
users placing ten orders each, the response time 
meets its target, and we can demonstrate that 
1,000 orders arrived in the database and 1,000 
confirmations were sent’. 

“That’s the difference between technical 
load testing and functional load testing.” 

There remains, however, a downside of these 
kinds of systems tests: the most you learn from a test 
script is that the test transaction worked — or that if 
it failed, your systems told you and the customer 
that they failed. You're never going to have 100% 
confidence that every failsafe works, however. 

Which means you also have to have processes 
in place that let the interface to your company — 
whether that interface is the call centre or the Web 
— deal with the failures. 

Some things are obvious. Dr Raymond says 
systems should only generate customer confirmation 
numbers once a customer’s activity is known to the 
system — and customers should be told in advance 
what to expect. “You have to educate the user about 
what to expect, so they can distinguish between 
transactions that succeed and those that fail,” she said. 

Moreover, the customer confirmation num- 
ber must be unique, unlike a particular bank’s call 
centre system whose customer numbers are simple 
day-and-time stamps. In that case, when the call 
centre is unable to locate a customer transaction, 
the fact that confirmation numbers are easy to 
forge means call centre operators tend to believe 
that all ‘lost’ numbers were forged by the caller. 


Richard Chirgwin is group editor IT&T at Informa. He 
can be contacted at richard.chirgwin@informa.com.au. 
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Mobile Internet Toolkit Beta 2 


Tools 


Microsoft released the final beta release of its 
Mobile Internet Toolkit to coincide with the 
availability of the Mobile Information Server 
(MMIS). The release leverages the latest Beta 
releases of the Microsoft .NET Framework 
and Visual Studio.NET to build mobile Web 
applications. The Microsoft Mobile Internet 


Wi Leverages the 
latest Beta releases 
of the Microsoft .NET 
Framework and 
Visual Studio. NET 

to build mobile 


Toolkit contains server side technology 
enabling ASP.NET to deliver content to a 
wide variety of mobile devices. These devices 
include WAP (WML) and iMode (CHTML) 
cell phones and PDAs running Windows 
for Pocket PC. 

The Mobile Internet Toolkit (formerly 
.NET Mobile Web SDK) features: 

Hi Mobile Internet Controls Runtime — A 
set of ASP.NET server controls that gen- 
erate WML 1.1, CHTML 1.0, and HTML 
3.2 content for different devices. 


Web applications. 


HM Mobile Internet Designer — A drag-and- 
drop user interface that integrates with 
Microsoft Visual Studio.NET. 
Mi Device Capabilities — Updates to the 
ASP.NET browser capabilities for 
mobile devices. 
Mi Device Adapter Code — To help add 
support for new devices through the 
extensibility model. 
Documentation and a Quickstart help guide is 
also included in the download. 

The toolkit requires the .NET Framework 
Beta 2 to be present before installation, while the 
Mobile Internet Designer requires Visual Stu- 
dio.NET Beta 2. The Mobile Internet Toolkit 
Beta 2 is available for download from the 
Microsoft Developer Network Website. 


Microsoft: http://msdn.microsoft.com 


Virtually Yours 


Operating System Host 


Connectix has begun shipping its new Virtual PC product for Windows, allowing 
machines running Windows 2000, NT or Me to virtually host and run 
concurrently any combination of Intel-based operating systems such as Windows 
95/98/2000, NT, Me, Linux and MS DOS. 

Virtual PC automatically detects and works with all the settings of the 


VIRTUAL PC 


For Winpows' 


host operating system, meaning there is no need to configure network 


One Computer settings for any of the guest operating systems. There is also no need to 
Many Systems 


S Possibilities 
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reboot, with users able to switch to their desired operating system as simply 
as switching applications. 
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The Drive Container feature stores each guest operating environment — 
data files, applications and operating system on a single file — allowing easy 


——— portability of guest environments. Users with existing OS partitions can 
configure Virtual PC to use a dedicated partition for each guest OS. 

Virtual PC has a recommended retail price of $579 and is available 
locally through Firmware design. 


Virtually host a number of OS's 
Firmware Design: (02) 4721 7211 
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Database Penguin 


Database 


Red Hat has expanded its portfolio to include a database solution based on 
PostgreSQL and optimised with Red Hat Linux 7.1. Red Hat Database sees 
the Linux developer move into the database space, targeting a need it spies for 


products 


“reliable and more cost effective databases for e-business applications”. 

The database supports multiple programming languages such as 
C/C++, PHP, Perl, Python, Tcl/Tk and Embedded SQL (in C). 

The release includes features such as: Red Hat Installer, and enhanced 
documentation for easy installation and setup; advanced locking capabilities 
to ensure database integrity; and standards compliance including core SQL 


92 support, ODBC and JDBC. 


The database also features APIs for broad application integration and 
compatability, and support for object oriented features, such as large objects, 
structured types and user-defined abstract data types (ADT) for flexibility. 

The Database is available for $4,495 and includes Red Hat Database 


7.1 and Red Hat Linux 7.1. 


Red Hat: (07) 3872 4811 


Red Hat Linux 7.1 


Rhapsody hatmonises 


Test and Measurement 


I-Logix announced new capabilities within 
Rhapsody 3.0 to allow developers to bridge the 
gap between design-level and code-level testing. 

The added functions allow developers to 
automatically generate code from system-level 
actors which can both monitor and stimulate the 
system under design, ensuring the application 
will meet the original function requirements. 

The further announcement of a deal 
with Applied Microsystems will see an inte- 
grated CodeOPTIX/Rhapsody family of test- 
ing tools. I-Logix claims that this will “close 
the loop” in model-based development and 
testing by enabling the developer to prove 
their application meets both functional and 
operational requirements. 


In particular, the integration of Rhapsody 
with CodeTEST will provide a means for devel- 
opers to seamlessly generate production quality 
C and C++ code and then perform quality 
measurements — including code coverage, 
performance and trace analyses. 

Rhapsody is an object-oriented application 
development environment for working in Micro 
C, C and C++. The environment is based on the 
Unified Modelling Environment and_ features 
unique model/code associativity and is claimed by 
its designer to shift the focus for developers away 
from coding and debbuging. I-Logix is also a 
founding member of the Embedded Linux Forum. 


Electro Optics: (02) 9654 1873 
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at specific applications 
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Rising to Securit 


Test and Measurement 


Mercury Interactive released a hosted security test- 
ing service, known as ActiveTest SecureCheck. 
Claimed to be the first of its type, ActiveTest 
SecureCheck measures the impact of a heavy user 
load on firewalls, Web security systems, Intrusion 
Detection Systems and critical business compo- 
nents. It also provides the ability to simulate Denial 
of Service (DoS) attacks to assess the vulnerability 
of infrastructure and application components. 

To provide the service, Mercury has licensed 
security scanning technology from Qualys, and 
combined it with the load generation capabilities 
of ActiveTest. Adding Hailstorm, a product from 
ClickToSecure, the service provides a potent 
repertoire of DoS simulations including buffer 
overflows, SQL, and DoS attacks aimed at specific 
applications and infrastructure components. 

Upon completion of the testing, ActiveTest 
SecureCheck provides the customer with a 
detailed report of the findings and experts manag- 
ing the service arrange an in-depth discussion 
with suggestions to help fortify applications 
against possible security breaches. 

Initial service providers who will utilise the 
service include EYT and Deloitte Consulting. Pricing 
for the service starts at $50,000 per scheduled service. 


Mercury Interactive: http://www.mercuryinteractive.com 


Embedded In 
Hills 


Embedded Tools 


Green Hills Software will make its MULTI 2000 
Integrated Development Environment (IDE) 
available for embedded Linux systems. The 
MULTI 2000 IDE, which can be hosted on 
either Windows, Solaris, HP-UX or Linux sys- 


tems, is claimed to greatly simplify the develop- 
ment of applications for embedded target sys- 
tems running the embedded Linux OS. 

Combined with Green Hills’ optimising 
C/C++/EC++ compiler, the IDE is said to auto- 
mate all aspects of software development for 
embedded Linux. 

The IDE features a window-oriented 
editor, graphical source-level debugger and 
program builder. MULTI 2000 also includes a 
version control system, an on-line context-sen- 
sitive help feature, and an instruction set sim- 
ulator so that a developer can develop and test 
their code on a PC or workstation without the 
need for target hardware. 

An incremental source-level debugger 
supports process- and system-level debug (appli- 
cation code only), and provides a separate window 
for each application process. It also supports 
mixed assembly and high-level language formats. 
The Linux-aware debugger includes a language- 
sensitive expression evaluator. 

Initially, the IDE will support Linux target 
systems based on the Power PC processor, with 
x86 support planned for a future release. 


Electro Optics: (02) 9654 1873 


New Tuxedo 


Application Server 


BEA announced the availability of Tuxedo 8.0 
and Weblogic Enterprise 6.0, its flagship enter- 
prise application servers. 

WebLogic Enterprise 6.0 combines BEA’s 
Java application server, WebLogic Server and the 
new version of Tuxedo into a single offering. The 
newest version of Tuxedo, version 8.0, adds 
support for BEA’s CORBA distributed applica- 
tion technology to support for distributed 
applications built using C, C++ and COBOL. 
This new functionality will allow enterprises to 
protect long-standing investments by integrating 
legacy applications developed using other 
CORBA environments, and integrates with 
mainframe and other enterprise apps. 

BEA has also begun shipping WebLogic 
Integration, leveraging the WebLogic Server and 
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the J2EE Connector Architecture framework. 
BEA WebLogic Integration provides infrastruc- 


ture for business Web services. 


BEA: http://www.bea.com 


Plenty of Ware 
n the Reef 


Front-end Design 


Reef has launched the latest version (2.3) of Reef 
InternetWare, offering new levels of perfor- 
mance and customisation options. Version 2.3 
offers greater flexibility for users and solutions 
partners to customise the look and feel of an 
administrative interface. The product is further 
enhanced to ensure support for the latest Java 
standards, including support for JSP 1.1, Servlet 
2.2, JavaMail 1.1.3 and JDK 1.2.2. 

Reef have added a Search API, to allow the 
easy edition of search tools into a Site or applica- 
tion, and the Mail API has been expanded to ease 
the process of sending e-mail from within any 
application written in Java. 

Reef has added a new application called 
Theme Editor to the suite, which is a WYSI- 
WYG customisation and personalisation tool for 
the layout, design and character sets used on an 
administrative interface. 

Reef has also launched an enterprise version 
of Reef Commerce, whereby each storefront or 
individual supplier can manage their own separate 
inventories. 


Reef: (02) 9212 4600 


Serving Up Linux 


Application Server 


Caldera launched its new server range, Caldera 
OpenLinux Server, and Caldera Open UNIX 8, 
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enabling the deployment of Linux applications 
on both Linux and UNIX platforms. The two 
servers use the Linux environment as a common 
interface to provide platforms for needs ranging 
from a low-end server to a high-end data centre. 

Open UNIX 8 is a deployment platform 
for Intel processor systems, and is claimed to 
offer the flexibility of Linux with the same scal- 
ability and reliability synonymous with UNIX. 
By incorporating Linux Kernel Personality 
Technology, Open UNIX 8 can run Linux and 
UNIX applications simultaneously. 

The release maintains compatibility with the 
SCO Unix Ware OS acquired by Caldera; can be 
easily upgraded to by Unix Ware 7 users; and includes 
significant refinements to the UNIX platform. 

OpenLinux Server, based on the Linux 2.4 
kernel, is a fully integrated and stable Linux oper- 
ating system. 

The server comes with default configurations 
for secure Web, file, print and network infrastruc- 
ture servers. Both products are available now from 
your local distributor, which can be found at: 
hetp://www.caldera.com/partners/dist/australia.html 


Caldera: http://au.caldera.com 


Notes in Browser 


Notes 


Lotus announced the availability of its Web client 
version of Notes, iNotes Web Access, which deliv- 
ers Domino messaging, collaboration, personal and 
company information via a Web browser. 

The new version not only provides a com- 
plementary access method for current notes users, 
but aims at new users for whom a full-scale client 
isn't a necessity. iNotes Web Access also provides 
the flexibility of accessing Domino applications 
anywhere a user can find an Internet connection, 
without sacrificing the full functionality of a 
standard Notes desktop environment. 

iNotes requires Domino server R5.0.8 for 
Windows NT/2000, Sun Solaris, IBM AIX, AS/400 
or $/390. It runs with Microsoft Internet Explorer 
5.0 and above. 


IBM: 1800 252 408 


@ OpenLinux Server, 
based on the Linux 2.4 
kernel, is a fully 
integrated and stable 
Linux operating system. 
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Developer ites from the Information Broker 


By Tony Stevenson 


elcome to a new column, Developer Sites from the 
Information Broker, which will be published every 
two months in Systems Developer. Tony Stevenson is 


the Information Broker, and he’s the author of the best-selling 
book, The Australian Guide to the Internet (its companion Web site 
is located at www.mkdsoftware.com.au) and author of the brand 
new book, The Australian Guide to Online Business (www.mkdsoft- 
ware.com.au/online). In addition to his writing, he’s also an IT 
consultant with more than 15 years’ experience. 

In each issue of Developer Sites from the Information 
Broker, half a dozen or so sites related to a specific development 
environment or programming language will be featured. By 
visiting these sites, you will be able to browse your way 
through a host of tips and tricks, online tutorials, feature and 
how-to articles, ezines, case studies, training news and short- 
cuts. You'll also be able to download useful utilities and code 
samples to help you in your daily job. The other good news is 
that these sites will, in turn, inform you of even more online 
resources that are worth knowing about. This month, the spot- 
light is on the Java programming language. 


Quickly Accessing the Developer Sites 

Before we begin our exploration of this month’s Developer Sites 
from the Information Broker, it’s important to point out that a 
Web page has been set up so that you can quickly access all the 
sites referred to in this article from just the one spot. To access it, 
drop into “The Australian Guide to the Internet” Web site 
(www.mkdsoftware.com.au), click the “Sites to Lookup” link, and 
then click the category link labelled “Java”. 


Java Technology Source 


On its home page, the java.sun.com site describes itself as being 
“the source for Java technology”. And there’s no doubt that 
there are plenty of interesting links to explore here, with prime 
examples being its links to “Industry news”, “Case studies” and 
the “Solutions marketplace” (where you can browse for both ser- 
vices and products). An example of a recent case study was the 
one that discussed the successful development of a Web-based 
wireless mobile resource management system. While visiting 
here, you are also actively encouraged to participate in the site’s 
online forums and chats via its “Community discussion” link. 


http://java.sun.com/ 


Java Tutorials 

To catch up on the latest Java technology tutorials, call into the 
Java technology section of IBM’s developerWorks site. To whet 
your appetite for what you'll find there, here’s just four examples 
of the titles of tutorials that are currently available: “Build your 
own Java library”; “Building a Java applet”; “Designing JavaBeans 
for visual programming”; and “Introduction to Java for C and C++ 
Programmers”. Depending on the specific tutorial that you select, 
you may be able to complete it online, or alternatively, download 
either a PDF or Zip file that contains the tutorial’s content (com- 
plete with sample code if applicable). 
http://www-105.ibm.com/developerworks/education.nsf/dw/java- 
onlinecourse-bytitle/ 


Applets Galore 

When you click the “Applets” link on the JavaBoutique home page, you 
immediately gain access to a large assortment of applets, servlets, Java 
applications and Java-related utilities. And to make it easier to find what 
you need, these have been organised into categories such as “Applets by 
Author”; “Applets by Category”; “Applets by Date”; “Applets by 
Name”; “Hall of Fame” (the site’s 10 most requested applets), “Top 
100”; “Applet of the Week”; “Applets for Programmers”; and “Servlets”. 


http://www.javaboutique.internet.com/ 


In the “Nuts & Bolts” section of JavaWorld, the following sections 
have been set up to help you master the many different aspects of 
Java development: “Regular Expressions”; “How-To Java”; “Client- 
Side Java”; “Wireless World”; “Java 101”; “User Interface Design”; 
“Tips ’N Tricks”; “Servlet Filters”; “Java Traps”; “Java Q&A”; and 
the complete “Java Q&A Index”. 


http://www.javaworld.com/ 


Got an opinion about Java that you’d like to share with the world? 
Then post it at JavaLobby. 


http://www.javalobby.org/ 


Finally, don’t forget to drop in regularly to Java Shareware to dis- 
cover the latest editions to its collection of “goodies”. 


http://www.javashareware.com/ 
Feedback 


If you've got a favourite Java Web site that’s been overlooked here, 
e-mail Tony Stevenson at Tony.Stevenson@mkdsoftware.com.au. The 
details will then be added to the list of sites in the Java category on The 
Australian Guide to the Internet site (www.mkdsoftware.com.au). 
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| Centre 
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Networking 
Industry Event 


www.interop.com.au 


For the first time in Melbourne 
See over 100 of the world's leading 
networking and communications providers 


Fast forward your business with the latest 
end to end solutions in network technologies 


E-drive your enterprise skills with leading 


edge tools 
Connect and deliver new technologies 
and know how 7 AES Key3Media Partners 
i . i eo 5 Smail Street 
Not be missed: Hot Zones on Security, \ 4 Beat Nene 
Storage and Wireless . Tel 02 9280 4415 
a . Fax 02 9280 4545 


b 3 NetWorld is a registered. 
5 “ - service mark of Novell Inc., 
Co -| oca ted Wi th Be eo in certain jurisdictions. 
We Entrance Policy 
Business Visitors Only. Persons 
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By Andrew Perry and Kate Fitzgerald 


he increasing reliance on computers, telecommunications and 

the Internet in business and day-to-day life has magnified the 

impact and incidence of computer-related crime. As a result, 
Australia is updating its cybercrime laws with legislation that will impose 
significantly increased penalties on hackers and would-be hackers. 

The Model Criminal Code Report, developed by the Common- 
wealth and State Attorneys-General and released in February this year, 
sets out a number of new offences and penalties. These offences and 
penalties are currently being implemented by the Commonwealth 
Cybercrime Bill and the NSW Crimes Amendment (Computer Offences) Act. 
Other States and Territories are expected to introduce legislation 
soon. The Commonwealth Bill is expected to become law late this year 
while the NSW Act should already be in operation. 

The Cybercrime Bill and NSW Act are designed to reduce 
technology-assisted crime by imposing heavy penalties on 
offenders. The Cybercrime Bill also increases the scope for investi- 
gators to collect evidence for prosecution of these crimes. 

Last year, a group of hackers was able to temporarily prevent 
the operation of the Amazon.com site by flooding it with requests for 
Web pages that didn’t exist. Both the Cybercrime Bill and the NSW 
Act outlaw these ‘denial of service attacks’. Under the new legislation, 
a person will be guilty of an offence if they cause an unauthorised 
impairment of electronic communication to or from a computer. This 
offence is punishable by a maximum of ten years’ imprisonment. 

Under the Cybercrime Bill and NSW Act, persons who hack 
into a protected computer system will be subject to a maximum of 
two years’ imprisonment. This same penalty applies to someone who 
causes the unauthorised impairment of the reliability, security or 
operation of data held on a Commonwealth disk, credit card or other 
device. This offence is designed to cover acts such as passing a 
magnet over a disk or cutting a credit card in half. 

The Cybercrime Bill imposes a maximum ten years’ imprison- 
ment on a person who causes any unauthorised modification of data 
held in a computer where they are reckless as to whether the modi- 
fication will impair access to data, where that data is held by or on 
behalf of the Commonwealth, or the impairment is caused by or 
affects a telecommunications service. A person who circulates a disk 
containing a virus that infects a Commonwealth computer would be 
subject to this provision. 

Both the NSW Act and the Cybercrime Bill are designed to com- 
prehensively prohibit computer hacking. Further provisions include 
offences that relate to the possession and supply of data that is 


~ New Cybercrime Legislation 


intended for use in the commission of a computer crime. These pro- 


visions would cover those who possess or sell programs that are 
designed to hack into or damage others’ computer systems. 

The Cybercrime Bill and NSW Act recognise the increasing use of 
computers in the commission of other crimes, most notably fraud and 
cyber-stalking. Under the NSW Act and the proposed Cybercrime Bill, it 
would be an offence to cause any unauthorised access, modification or 
impairment of data held in a computer with the intention of commit- 
ting a serious offence. Unauthorised use of a computer with the inten- 
tion to commit a serious offence will be punishable by the penalty 
applicable to that offence. For example, a person who hacks into a bank’s 
or other company’s computer system in order to obtain money would 
be subject to the penalty for fraud, which is ten years’ imprisonment. 

Importantly, the NSW Act recognises that the effect of computer 
crimes may be felt far from the origin of the crime itself, as is evidenced 
by computer viruses. As a result, the Act allows for serious indictable 
offences committed outside New South Wales to be subject to its juris- 
diction. This would overcome the problem experienced with the recent 
‘I love you’ virus, where the perpetrator avoided prosecution because 
Philippine laws did not proscribe such a computer offence. 

The Cybercrime Bill provides for the enhancement of law 
enforcement powers under the Crimes Act 1914 (Cth) and Customs Act 
1914 (Cth) to facilitate the investigation of computer-assisted crime. 
These provisions are consistent with the Convention on Cybercrime, 
negotiated by the Council on Europe in Strasbourg, France, earlier 
this year. The Crimes Act amendments will be of great use to law 
enforcement agencies, as a broader scope for collecting evidence will 
assist the prosecution of the new offences. 

Extended law enforcement powers allow for the examination or 
processing of equipment off-site if it is more practicable to do so. This 
overcomes the difficulty of time-consuming searches of volumes of 
data, often protected by security measures such as encryption. Officers 
may also be permitted to copy data if it constitutes evidence. 

These broader amendments recognise that most computers in 
the workplace today are part of a network or system. Accordingly, the 
Cybercrime Bill allows a search warrant to be used to search data that is 
not only stored on a computer, but accessed from a computer. 

While many see the world of hackers as glamorous and excit- 
ing, these new legal initiatives should cause would-be hackers to 
count the cost of a ‘harmless’ invasion. 


Andrew Perry is a senior associate and Kate Fitzgerald is a paralegal with the 
Telecommunications & Technology Group of Middletons Moore & Bevins. This 
column is a general discussion of relevant law and is not a substitute for appropri- 
ate legal advice. Andrew Perry can be contacted at andrew_perry@mmb.com.au. 
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Whether you’re developing or acquiring software 
a subscription to Software Engineering Australia 
will assist you to manage software risk 


Software Engineering Australia (SEA) is a not-for-profit 
organisation leading Australian business to make 
Australia internationally recognised as a top tier 
location for the development of software. 


Subscribe to SEA now and receive 
e Added value to your business through good software process 


e Discounts to SEA products, services & knowledge resources 
and events 


Targeted networking opportunities 


e SEA Software journal, published three times per year 


All for the affordable subscription cost of 
$110.00 


Special student subscription rate 
$55.00 


SEA aims to improve the Australian software industry’s 
capability by enabling all developers and acquirers ready 
access to better processes and new technologies. 


Developers 


SEA will lead you to the path of producing better quality soft- 
ware with faster delivery & time to market. 


Acquirers of software 


SEA will show you techniques to assist you to buy software with 
greater predictability of scheduling, less risk and increased quality, 
both on time and on budget . 


sed 
<a">> 


Software Engineering Australia 


improving the business of software 
www.seanational.com.au 


Phone 1300 884 888 


SEA subscription Application Form 


Mail to SEA National, Level 4, 222 Kings Way South Melbourne Vic 3205. Or fax to 1300 884 887 


Contact Details 
Contact name Ms / Mrs / Mr (please circle) 


Position ttle 


Organisationname 


Mailing Address 


PAYMENT _ a ee 
Subscription —@8000 
Student subscription @ $55.00 


Total Payment 


Please indicate your method of payment 


State 2 


Phone (direct) 
Mobile 
Fax 


email _ 


Website 
Signed 


__Date 


*please note one application form per subscriber 


Cheque - attached. 
Cheques should be made payable to SEA (National) Ltd. 


Credit card - details: 


Visa Mastercard Bankcard Amex Diners 
Name on Card _ ee 
Card Number 

Expiry Date [| 


Signature _ 


This document becomes a tax invoice for GST upon payment. Please photocopy and maintain for your records. 
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Piggy in the 


By Gordon Turner 


5b 


Middle? 


ccording to Gartner Group, B2B 

e-commerce in the Asia-Pacific region 

(excluding Japan) will more than double 
each year to reach a transaction value of 
$US995.8 billion in 2004, and, again regionally, 
e-market makers are projected to account for 29% 
(A$581 billion) of overall market value by 2004. 
Along with consumer demand for convenient 
Web-based services and the business adoption of 
the Internet as an affordable communications 
backbone (with Virtual Private Networks), this 
means the Internet is very much part of the 
business application developer’s world. 

Simultaneously, though, there will be a 
dramatic increase in the occurrence of security 
breaches from hacking, virus development, denial 
of service (DoS) attacks and the like. 

The Australian Federal Police expects 560 
cyber-crime reports this year, and over 1,000 
next year — an alarming trend given how few 
companies report such breaches or even know 
when a breach has occurred. 

As systems developers, you'll increasingly 
be caught in-between, playing white knight 
and black knight — on the one hand meeting 
customer and user demand for increased access 
to, and use of, the Internet, or ‘e’-based services 
and on the other, defending data integrity, 
confidentiality and availability, not to mention 
the company reputation. 

Your task is complicated by the increased 
need for ‘business intelligence’, the need to 
support multi-dimensional, cross-operational 
performance measurement methodologies (such 


as Balanced Scorecard), mergers and acquisitions, 
and the general e-business trend — all of which 
involve the integration of disparate systems. 

Integration is one of the prime causes of 
systems developers compromising their own 
security measures, as they seek to tunnel, patch, 
link and generally ‘knit’ legacy and new systems 
into an ever more complex series of relationships 
not accommodated by their security policy. 

This is exacerbated by the need for developers 
to deliver access and services over the Internet, 
which is an open protocol, readily available, widely 
deployed, and popular. This is an open transport, 
TCP/IP in raw mode, does not provide much 
identity and has communication in the clear — very 
attractive to the hacker community. 

While transportation is simplified, applica- 
tions are becoming ever richer in functionality in a 
bid to gain market share. You only have to look 
into packages such as Office from Microsoft which 
most of us use everyday — but do we actually use 
much more than 10% of its functionality? Yet this 
is often achieved, even — or especially — by the 
major application developers at the expense of 
incorporating restrictive security measures. 

Further complications are created by the 
increasingly mobile workforce, which requires 
that a user be identified and secured, rather than 
an easily categorised, predictable, fixed-location 
node. And the fact that a high percentage 
of cyber crimes are caused by approved but 
disgruntled staff members. 

The very concept of ‘Internet or data secu- 
rity’ is riddled with contradictions. 

The Internet is innately about ‘open com- 
munications’, indeed it was first conceived with 
communist principles to allow minds to meet ina 
virtual, inclusive world of shared ideas and data. 

Meanwhile, ‘security’ is the dull, matronly 
voice of caution, doom and limitation. Indeed, the 
security industry was founded on firewalls, which 
have the primary function of access restriction. 

It can no longer be ignored though. As 
high profile security breaches continue, con- 
sumers will begin to choose suppliers that are 
perceived to have the best protection. In turn, 
you will increasingly be pressured to incorporate 
security into your developments. 

Further, the pending privacy legislation will 
force adherence by 21 December 2001 to ten 
National Privacy Principles (NPP) relating to the 
handling of personal information. They cover areas 
you will be called in to support, including data 


systems Developer August 2001 


security, access and correction, transborder flow of 
data and the protection of sensitive information. 


What Options Do You Have? 


Retro-fixing is an industry-wide approach — and 
we'll see a lot of this in the count-down to the 
NPP deadline day. This is not a completely bad 
thing; rather a necessary evil of all systems 
development and management. Most industry 
vendors and developers consider patching, fix- 
ing and updating to be a normal part of a 
system’s life cycle. How many service packs has 
MS platforms had? Patches for Solaris? RPM 
updates for Linux? There have also been many 
updates and patches for security systems 
whether hardware or software based. 

The issue is that this should not be viewed 
as the only solution — as with a patched tyre, 
such an approach leaves behind inherent weak- 
nesses and a ‘blow out’ can occur later. 

Another ubiquitous approach is to re- 
invent the wheel and add your own methods, for 
example, IP chains in open source code Unix. 

Once again, I’m not pointing at this as the 
wrong approach. Often it’s a very valuable one, 
since developers who research and then provide 
new system capabilities often find these become 
de facto and then fully accepted standards — such 
as Stateful Inspection from Check Point, and 
CAPI from Microsoft. It is simply that this can 
add complexity, especially if the developers 
leave, and should be only one element of the 
overall approach to tackling security. 

Finally, as specific security issues and 
capabilities become more common we'll start to 
see more defences built into the major product 
releases. All operating systems, for example, will 
come with built-in firewall, VPN with IPSEC 
and certificate key client capabilities. 

The three approaches above are in common 
use and valid. They provide system developers 
with a means to enable, enhance and extend their 
systems securely. However, the retrospective 
approaches are resource-intensive, take focus 
away from other, business-critical development 
projects, and can significantly add to the cost of 
owning a product. 

One solution to achieving market edge, 
and enabling evolutionary upgrades to meet 
changing security and inter-operability require- 
ments, is to base security measures on a single 
but open architecture. 


a LL TLL LLL 


systems Developer August 2001 


Several parties are endeavouring to offer 
this. The IETF, for example, has put forward IPv6 
which has a great deal more emphasis on security 
at the protocol level. Widespread adoption is yet 
to occur however. Also, much of what IPv6 does 
offer is not fully tested. Since it is much more 
complex than the existing TCP/IP IPv4 in place 
over the Internet today it is reasonable to assume 
we still have to embark on learning curves and all 
the associated resolutions mentioned above. 

An alternative, proven option, is the Open 
Platform for Security (OPSEC) — developed in 
1996 by Check Point Software Technologies 
but now actively supported by the nearly 300 
tested and certified vendor-members of the 
OPSEC Alliance, such as Citrix, Oracle, Nokia, 


é¢ 


RSA Security, ISS, Sun Microsystems, Nortel and 
most of the PC and server vendors. While it 
might have started out as a useful marketing tool 
for products like FireWall-1, it has become the 
de facto standard for enterprise-wide security 
policy management and enforcement. 

Most importantly for developers, OPSEC 
eliminates the burden of inter-operability, and 
the size of the Alliance provides for a wide 
choice of platforms and applications defined 
and driven by a single, central, enterprise-wide 
security policy. 

Security needs to be an enabler — not a dis- 
abler. The more you lock down the systems and 
access to information, the less effective that infor- 
mation and those systems can be. A key thing to 
remember is that if your security developments 
prove too restrictive to communications, users 
will creatively find ways around them. 

On the other hand, giving into demands 
for swift, location-independent access, can com- 
promise your entire business. Regulatory and 
customer pressure will soon force you to retro-fix 
security holes anyway, so you might as well 
address it at the outset. 

A standard platform offers a sensible solu- 
tion. And, besides, can 300 vendors be wrong? 


Gordon Turner is Southern Region Sales Manager, 
Check Point Software Technologies. 


... this should not be viewed as the only solution — 
as with a patched tyre, such an approach 
leaves behind inherent weaknesses. 
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The Look of Linux 


By Richard Chirgwin 


6¢€ 7 like Linux,” Quinn said, “but sometimes its advocates can 
be a real pain.” 

We'd been discussing the awful PR stuff-up by Microsoft, 
when it started chasing some outback charity for proof of 
licensing for PCs it gives away to the poor people. I sometimes 
wonder whether Microsoft’s lawyers are on speaking terms with 
its marketing staff: for the price of a few CDs — not even CDs, 
just approving some registration numbers for Windows 95 
which is obsolete anyway — it could have had at least a week’s 
worth of the warm fuzzies. 

But no, the rottweilers ran ahead of their owners and created 
an instant celebrity out of the charity’s operator. 

All that’s just the standard fare of the fanzines, but I got a 
little confused at the media strategy of the Linux distributor that 
decided to capitalise on Microsoft’s misfortunes by telling the 
world it would give free Linux CDs to charities. 

It’s not that Linux is free anyway — the CDs, after all, do 
carry real value in terms of documentation, installation help, and 
getting a bunch of extra packages without having to find the code 
and wait two days for the download over a 56K modem. 

“So what’s your problem?” Quinn asked. 

“Well, it’s just that everybody seems to punish poor people 
for being poor.” 

Of course, that needed explanation. 

“Well, Microsoft's lawyers are punishing them for not hav- 
ing licenses, and the Linux community wants to punish them for 
not having enough money to buy a commercial operating system.” 

“The punishment being going through the pain of using 
Linux on a desktop computer?” Quinn asked. 

“Exactly,” I said. “Linux is a good thing in a great many 
ways — even Microsoft uses open source code for some things, 
despite all its remarks about ‘viral’ licenses. But Linux is pro- 
foundly painful for ordinary users.” 

“Nonsense,” Quinn said. “Modern Linux distributions have 
installation routines that are as good as Windows.” 

Talk about praising with faint damns. Even if it were true, 
both Windows and open source operating systems assume a com- 
mon starting point for automating installation: that the user has 
run installations before, remembers the pain of the last installa- 
tion, and will therefore welcome any improvement, however small. 

Actually, regardless of how you view its market practices, 
Microsoft has had the right idea of how to make life easier for Joe 


Sixpack: get the shop to install the OS and demand nothing more 
of the customer than keying in a registration number. 

That’s where the Linux bigots get painful — not the sales 
people, the distributors, nor the technologists, but the bigots. 
Should anybody suggest that Linux is too hard for the individual 
user, the wrath of slashdot will descend. 

Even Quinn, who himself is a fully-fledged Linux sysop — 
right down to running up Samba and pretending he’s running an 
NT Server — has felt the scorching heat of a flamewar for suggesting 
that open source software was sometimes amateurish. 

“Problem is, because a lot of Linux people are reacting 
against Microsoft, the installations seem to use Microsoft as their 
benchmark. So they’re trying to build a better mousetrap.” 


Should anybody suggest that Linux is 
too hard for the individual user, the wrath 
of slashdot will descend. @9 


“And then, if someone says it’s too hard,” I said, “the bigots 
tell them it’s because they’re too lazy to learn about computers.” 

“Right.” 

T happen to agree with Quinn here. The biggest PR problem 
the open source movement has is exclusivism: the meritocracy — 
itself a really good thing, in that theoretically only the best code 
survives into general use — has its downsides as well. In particular, 
“if you won't learn it, don’t use it”. 

“What would you say,” Quinn said, “if someone said you 
had no right to a washing machine if you can’t fix it yourself?” 

“T’'d tell them I can fix my own washing machine. But of 
course a washing machine’s a lot easier than an operating system. 
The only thing my washing machine clashes with is the laundry 
wall, when it goes for a walk.” 

“You said you fixed it yourself?” “Yep.” “Did it ever occur 
to you that it might not walk if you got an expert to fix it?” 

I told him to get back to the point. 

“The point,” he said, “is that on the one hand, open source 
is pitched as a defender of democracy in computing. At the same 
time, we hear that open source is our only defence against bad 
software and Microsoft monopoly. And yet, the same people who 
advocate that world view believe that participation should be 
restricted on the basis of expertise.” 

There is hope, however: once upon a time, ordinary users 
were hounded off the Internet as well... . 
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CRM Systems & Technologies Special Supplement 


By Richard Chirgwin 


The CRM Uncertainty Principle: 


Risks in Real-time Marketing 


When you try and pitch 
real-time offers to 
customers, what you 
don’t know can matter 
more than what you 
do know. Richard 
Chirgwin reports. 
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can’t know both position and 

velocity at the same time. The 
more you know about where an atom 
(for example) is, the less you know 
about where it’s going. The more you 
know about where it’s going, the less 
you know about where it is. 

Customer relationships are like that 
too: it’s easy to discover trends, and 
it’s easy to look at what’s happening 
right now — but to understand every- 
thing about a customer’s trends and 
current state, in real time, is very diffi- 
cult indeed. 

Because of this, real-time market- 
ing — the business of interpreting and 
responding to customer behaviour dur- 
ing a contact — is risky. Get it right, and 
you'll improve your sales. Get it 
wrong, and you can invalidate long 
nights of marketing strategy meetings 
and technology implementations. 

And the greatest danger comes 
from trying to create a marketing offer 
when you don’t know enough about 
the customer. 


|: physics, uncertainty says you 


Do You Know Identity? 

Last year, Amazon twice found itself 
getting unfavourable press by making 
honeymoon offers to new customers 
that weren’t available to its regular, 
loyal customers. 

It’s easy to see how such a mistake 
could be made: since the Web server 
could tell the difference between a regu- 
lar customer (whose browser stored the 
Amazon cookie) and an unknown, why 
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not try and cement the relationship from 
the very first purchase? Why not sense 
the difference between new and existing 
customers in real time, and tailor the 
offer to fit the corporate strategy? 

In this case, what Amazon didn’t 
know about the customer was obvious: 
that a cookie identifies a computer, not 
an individual. By pitching its honey- 
moon offer to a piece of hardware, 
Amazon ignored the likelihood that 
some of its users would be accessing 
the site through computers without 
the cookie: new machines, new 
browser installations, friends’ comput- 
ers, and so on. 

The result? The offer was made to 
the wrong people. Instead of welcoming 
the ‘hot price’, users resented it — and 
Amazon found itself on the defensive. 

That episode illustrates the ‘entry 
point’ for real-time marketing. You can 
create some level of generic offer based 
(for example) on the navigational 
behaviour of an anonymous user, but 
only at the coarsest level of granularity. 
If you don’t know identity, your offer 
will be to a profile, never to a customer. 

Even when you have a site with 
logins, username and password, and 
even when that site is compelling 
enough that customers actually stay 
with it in spite of the need to register, 
you can’t guarantee identity. 

Greg Wood, solutions marketing 
manager at the SAS Institute com- 
mented: “People generally don’t offer 
up information — we all use bogus 
names on Web sites sometimes. 
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“All you can really get from the 
Web server is broad segmentation stuff 
which you might be able to use later. 
You can get some generic segmentation 
against that data, but without knowl- 
edge, you can’t measure anything. 

“Site metrics don’t help you increase 
the customer’s propensity to buy, they 
really only help you make traffic mea- 
surements and help you design the site 
better. You have to collect information 
from places other than the Web.” 

This leads to an interesting con- 
clusion: despite the way the Web is 
presented as the ideal personalised, 
real-time medium, the inbound call 
centre is probably a better channel for 
real-time marketing. Customers are 


profile and propensities, but also 
whether an offer has already been made 
and accepted or declined. 

The upper limit to real-time market- 
ing is set, he said, by our knowledge 
about the customer, and by the corporate 
‘reflexes’ — the company’s own ability 
to react in real time and create an offer. 

The grey area, of course, is between 
these two extremities. 

“The trap,” says E.piphany’s Aus- 
tralia/New Zealand managing director 
Chris Ciauri, “is to think that if you buy 
the technology, you’ll have a miracle. 
To start using real-time technology you 
need to understand that it’s an interac- 
tive learning process .. . the more you 
can learn, the better the tool will get. 


Do we know enough about the customer 
to start a dialogue at all? 


much more likely to identify them- 
selves without qualm if they’re 
calling you than if they’re browsing 
your Web site. 

Warren Davies, marketing manager 
for Xchange Asia Pacific, says inbound 
traffic “is not like unsolicited commu- 
nications — the customer has already 
made contact to discuss an issue”. 


Do You Know History? 

Vish Vishwanath, VP of Risk Manage- 
ment and Credit Analytics at Sears, 
Roebuck & Co, says any approach to 
making marketing decisions in real 
time has to start with the question: “Do 
we know enough about the customer to 
start a dialogue at all?” 

The answer to that question, Vish- 
wanath said, sets the lower limit to our 
real-time abilities. For example, to 
make a particular offer demands that we 
know not just the customer’s individual 


“You’re not just putting offers in 
front of the user, you’re trying to get to 
know them better.” 

The starting point, he says, is for 
companies to integrate customer infor- 
mation from its various sources, “so as 
to have as deep an understanding as 
possible about the customer’. That, he 
said, also improves your confidence in 
the data sources your real-time deci- 
sion engines will be looking at. 

In other words, while it seems obvi- 
ous to say so, any attempt at real-time 
marketing has to start with an under- 
standing of an individual customer’s 
history — not just a history of their 
transactions, but also a history of their 
responsiveness to offers. 

That history needs to be cross- 
channel: someone who doesn’t want 
a new mobile phone from the telemar- 
keters probably doesn’t want it via 
e-mail either. 


And of course, as Vishwanath 
emphasised, your customer history 
should also embrace what kinds of per- 
missions you have from that customer 
for any kind of push-model marketing. 

The history will also define another 
boundary of real-time marketing. If 
you have a good understanding of how 
current your history is — how close to 
‘right now’ you understand customer 
history — you can relate that historical 
timelag to just how responsive your 
offer-creation should be. 


Do You Know Psychology? 

This is a really tough one. When you 
hear a visionary getting excited about 
the possibilities offered by mobile 
commerce — say, a marketing campaign 
to WAP phones — remember that while 
you can know customer location, and 
may even have a good understanding 
of a customer’s history right up until 
five minutes ago, it’s almost impossi- 
ble to know the customer’s psychology 
at a given point in time. What if the 
customer is passing your store, but 
angry at losing a business deal? Do you 
really want to make them an advertis- 
ing offer just because you know their 
location in real time? 

The grey area of customer psychol- 
ogy leads Davies to caution against set- 
ting the real-time engines to work too 
quickly. “You should not leap into a 
cross-sell or up-sell opportunity before 
you’ve started to deal with the issues 
the customer called about,” he said. 

That comes back to profiling as 
well, Ciauri said. A strategy so conser- 
vative that you try to never make a 
mistake will probably leave you too 
conservative with your offers to get 
any real benefit. Instead, he says, com- 
panies may want to balance radical or 
conservative real-time decisions 
against the customer’s profile. That 
way, you may be conservative with 
your most valuable customers — since 
the risk of losing the customer is 
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greater than the risk of missing one 
opportunity — while less valuable cus- 
tomers may receive more offers (and 
over time, become more valuable). 

David Peters, CEO of churn man- 
agement specialist eMagine, cites an 
experience of a telecommunications 
carrier he worked with, which tried to 
profile customers by their behaviour 
when they called: “They wanted to 
identify the customer type” (for exam- 
ple, is Richard business-like or chatty 
when he calls an operator?). 

To do that, the telco asked its call 
centre agents to rate customer per- 
sonality types when they called. The 
outcome, of course, is obvious: most 
customers’ ‘personality’ changed 
from call to call, and the data col- 
lected wasn’t useful. 

Peters also reminds companies that 
permission marketing can make a big 
contribution to the right psychology. 
He likens this to the difference between 
‘personalised’ sites — where the tech- 
nology decides what users want — and 
‘customised’ sites, where users edit site 
presentation for themselves. 

Customised Web services are 
frequently more successful than per- 
sonalised services, Peters said, and 


is likely to churn — but that psychology 
tells you not to try reacting instantly. 

“Real time is not always the right 
time,” he said. For example, the 
incoming call may perfectly fit the 
model of a customer about to churn, 
and it may even accurately predict the 
right offer to prevent churn — but psy- 
chology and experience tells you that 
the best thing to do is to wait. 

That way, Peters said, the customer 
cools down, you can call in a sales 
expert instead of putting the load on 
service personnel, and the customer 
will feel special because you bothered 
to call back. 


Do You Know the Rules? 

Where you do decide to work in real 
time, Peters said, you need to have the 
offers prepared and ready-to-go. The 
offline preparation is important: if you 
end up with a million customer seg- 
ments, no software in the world will 
put together good offers on the spur of 
the moment. 

Vishwanath says this depends on 
having good business rules as the basis 
of your real-time marketing efforts, 
and being able to communicate those 
rules to your contact environment. 
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likewise, permission-based marketing 
allows customers to feel more in 
control of their destiny when they 
interact with you. 

Of course, customisation is less 
immediate than personalisation, but 
that’s where psychology comes into 
play. There are times, Peters said, when 
you might have a very good idea, in 
real time or close to it, that a customer 
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And the key, both to the offers and to 
the rules that surround them, is business 
foresight — which is a rare quality. Data 
gathering and analysis are important, 
but foresight will make the difference. 

Foresight will lead to. risk- 
taking, Vishwanath added, since some 
offers may contradict what research 
predicts. The minivan is his favourite 
example: all the market research said 


car owners in America didn’t want 
minivans, but Chrysler created the 
vehicle and pitched it to the ‘soccer 
mums’ with great success. Not all the 
offers will work, though, so Vish- 
wanath says you need procedures in 
place to withdraw unsuccessful offers 
at minimum risk both to the compa- 
ny’s reputation and to its relationship 
with customers. 


Do You Know When You're Wrong? 
And that leads us to the question of 
measurement. One of the most popular 
myths about real-time marketing is 
that it can tell you, instantly, how suc- 
cessful a particular offer is. 

That’s nonsense, of course. All you 
can measure is whether the offer was 
accepted instantly. What if a customer 
received a real-time offer, declined it 
today, but returned to accept in a 
week’s time? If your rules told your 
system to withdraw the offer the 
moment it’s declined, you’ve just 
alienated a customer. 

Even if the customer is still able to 
take up a week-old ‘real-time’ offer, 
you’ll only be able to assess that as a 
successful offer if your measurement 
systems can correlate data across a 
longer timespan. 

A simpler segmentation of offers, 
says Peters, also makes measurement 
simpler. While the real-time advocates 
believe offers should segment down to 
the individual level, how can you 
analyse success and failure against mil- 
lions of offers, millions of customers, 
and over extended time periods? Peters 
says this is a big logistical problem. 

And in the end, measurement will 
be critical — because if, like Amazon, 
you make mistakes in your real-time 
marketing efforts, a speedy response is 
the best way to limit the damage. 
Richard Chirgwin is group editor IT&T 
at Informa. He can be contacted at 
richard.chirgwin@informa.com.au. 
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With the impending 
Privacy Act amendments 
set to open a Pandora’s 
box of customer queries 
and complaints, are 
Australia’s financial 
institutions equipped to 
overhaul their business 
practices and CRM 


infrastructures? 
Katrina Clifford and 
Cameron Tomes report. 
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Privacy - 
Pleasure or Pain? 


hile it seems most organi- 
sations have been rather 
lax in their approach to 


ensuring that, come 21 December, 
their operations are compliant with the 
new Privacy Amendment (Private 
Sector) Act 2000, the majority of Aus- 
tralian banks have dived headlong into 
tightening up their privacy tenets. 

But the big question few institu- 
tions will successfully answer over 
the next five months is: “Should we 
fast-track our CRM implementations 
to be confident that we can provide an 
enterprise-wide view of the customer, 
or stick to our guns and hope that any 
ensuing customer queries are not 
too complex?” 

Furthermore, institutions will arguably 
be too pre-occupied with the task of 
ensuring their business process and work- 
flow practices comply with the privacy 
legislation to be confident that customer 
queries can be handled efficiently and 
with limited lag times. 

For its part, the CRM vendor com- 
munity is supremely confident that 
their solutions are developed to accom- 
modate, if only at a minimal level, the 
proposed changes to the privacy 
legislation. Yet most warn that full 
compliance rests not in lines of appli- 
cation code and drop down fields, but 
in the hands of the business people 
charged with re-engineering business 
processes and information flows. 

According to Point Australia man- 
aging director John Thompson, and 


By Katrina Clifford 
and Cameron Tomes 


E.piphany’s managing director Chris 
Ciauri, it’s not the responsibility of 
CRM vendors or their products to guar- 
antee full compliance. Rather, the onus 
is on institutions to get their business 
strategies down pat. And, if organisa- 
tions still hold grave concerns over the 
privacy functionality of their CRM sys- 
tems, a handful of specialised privacy 
modules are emerging that could be 
bolted onto existing CRM platforms. 
“Tt is our responsibility to at least 
offer mid-level privacy functionality in 
our solutions and it would be pretty irre- 
sponsible of us if we didn’t at least give 
customers that option,” Ciauri explained. 
“The issue with privacy has more to 
do with business processes and less to 
do with customisation. Customers have 
to make privacy part of the implemen- 
tation process and decide what role 
they want privacy policy to play to 
derive desired business outcomes.” 
Over at St George, privacy has 
been at the forefront of the bank’s 
strategic planning, with a privacy 
project currently in the works to ensure 
St George is privacy-compliant and 
CRM-readied by the cut-over date. 
According to Andrew Thornton, 
general manager of St George’s Group 
Customer Management division, while 
compliance is one thing, operating 
effectively within the proposed National 
Privacy Principles (NPPs) is another. 
For Thornton, the new legislation 
has given rise to two particular kernels 
of concern for banking institutions: 
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demonstrating an understanding of the 
impact of opt-out provisions integrated 
into CRM strategies; and ensuring that 
in the event of a cus- 
tomer request, banks are 
equipped to provide all 
related customer data. 

“That’s why there’s 
an imperative for bank- 
ing institutions to have 
not only their tech- 
nology up to speed 
come 21 December, but 
to know their customers 
and the promotional 
information relevant to 
each individual,” Thorn- 
ton said. 

“At the end of the day, shotgun 
approaches to direct marketing will fall 
short of being able to identify what 
information you hold on customers and 
how to make the most of that data.” 

In light of ANZ’s own group-wide 
privacy project which has been in 
operation since the end of last year, 
Jane Nash, head of Government and 
Regulatory Affairs at ANZ is quick to 
side with Thornton when it comes to 
issues of readiness and the centralising 
of data stores. Indeed, it seems ANZ 
has somewhat of a head start on St 
George having already carried out a 
series of audits and gap analyses on its 
data repositories to identify potential 
compliance cracks. 

“Really this is about evolution rather 
than revolution for ANZ because the 
banking industry’s duty of confidentiality 
has always put privacy at the cornerstone 
of our operations,” Nash said. 

“Having said that, the proposed 
legislation does introduce a new vari- 
able to our operations — a customer’s 
right to not only access but correct their 
personal information. 

“Which adds an interesting dimen- 
sion in the event of customer inquiries 
post-21 December given the amount of 
personal data we hold on individuals. To 


John Thompson, Point 
Australia managing director 


assist with this, we’re looking to employ 
a dedicated privacy officer, in addition 
to amalgamating the stores of data we 
already hold,” Nash said. 

But while consoli- 
dating the morsels of 
information held on a 
customer into a com- 
mon data pool is one 
thing, when it comes to 
actually coughing up 
the goods, St George’s 
Thornton says cus- 
tomers demand that data 
is up-to-date, not six 
months old. 

“Even though the 
information St George 
has in its data warehouses at the 
moment is in good shape, the imper- 
ative is to ensure that the data 
remains consistent and current across 
the network of banking channels,” 
Thornton said. 

“In response to these sorts of cus- 
tomer expectations, we’re building 
what we call a Group Customer Infor- 
mation system which links the touch 
points through which we 
interact with customers. 

“This, along with our 
privacy project, is being 
developed through exist- 
ing projects in order 
to minimise the costs 
of compliance with the 
NPPs,” Thornton added. 

While very few insti- 
tutions are as yet will- 
ing, if able, to quantify 
the costs of compliance, 
ANZ’s Nash concedes 
the need to build both 
efficient and cost-effective privacy- 
compliant business processes, will 
incur customer charges to offset the 
required capital investment. 

“The last thing we want to do 
though is slug customers with hefty 
charges,” Nash lamented. 


Chris Ciauri, E.piphany 
managing director 


According to Andersen’s Channels 
and Customer Solutions Practice part- 
ner, Neville Bagot, it’s almost a given 
that customers will be charged one 
way or another. He added that trying to 
factor privacy compliance costs into 
a budget is challenging because tech- 
nology alone won’t solve the problem. 

“The basic level of privacy compli- 
ance costs for a large organisation 
could be anywhere between $250,000 
to $1 million, but that figure just 
covers business compliance,” Bagot 
warned. “For true compliance organi- 
sations will have to redesign systems 
infrastructures, address staff training 
costs, revisit security and data man- 
agement policies and understand the 
privacy ramifications of third party 
data flows — four requirements that 
could balloon costs into the millions.” 

Yet despite the concerted efforts of 
institutions to get a jump on compliance, 
Chris Connolly, director of the Financial 
Services Consumer Policy Centre 
(FSCPC) claims their efforts to consoli- 
date divisional customer profiles are not 
as important as pinpointing where a cus- 
tomer’s data has been 
acquired from. As it is, 
Connolly claims bank- 
ing institutions © still 
need to grapple with 
the complexities of 
‘consent’ as defined in 
the NPPs. 

“Take for instance 
the current processes 
for credit card appli- 
cations wherein cus- 
tomer consent to credit 
checks usually ends up 
equating to the repro- 
cessing of that personal data for direct 
marketing campaigns,” Connolly said. 

“Application for a credit card 
under the new regime will remain an 
implicit consent to the use of personal 
information for the primary purpose of 
obtaining a credit card.” 
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“However, financial institutions 
will now have to disclose and provide 
customers with an opt-out option on 
the use of that data for the secondary 
purpose of direct marketing. 

“This is again complicated in the 
instance of Qantas and Telstra Visa 
cards, for example, where we’re also 
talking about disclosure of personal 
data to third parties,” Connolly added. 


irrespective of whether customers 
buy-in to promotional offers. 

Point’s John Thompson explained 
that much of the success of cross- and 
up-sell strategies would be dependent 
upon how institutions react to the cus- 
tomers’ decision to opt-in or opt-out of 
initial marketing offers. 

“The intent of institutions will 
always be to up-sell. If they are discreet 


At the initial point of contact privacy shouldn't 
affect any cross-selling outcomes. 


According to Nash, the NPPs 
require explicit consent from cus- 
tomers before personal information 
can be shared with third parties, but 
they do not require explicit consent 
from customers for the sharing of 
personal information between an 
organisation’s internal divisions. 

“ANZ will disclose to its cus- 
tomers that their information may be 
shared internally, but we have no 
intention of seeking their explicit 
consent,” Nash said. 

“The ‘quid pro quo’ of doing this is 
that if a customer then opts out of 
receiving direct marketing material 
from one area of the organisation, they 
effectively opt out of receiving direct 
marketing from all areas.” 

But it’s an argument the FSCPC’s 
Connolly “isn’t sure about”. 

While some industry observers 
might suggest that ANZ is seriously 
threatening its revenue growth strategy 
by ruling out cross- and up-selling 
tactics for customers who baulk at one 
division’s offer, it is indicative of the 
myriad of approaches the financial 
services sector is taking to privacy. 
But one point is clear: institutions 
must have privacy contingency plans 


in their customer interaction learning 
processes then surely it must be a bet- 
ter business strategy than not telling 
customers what they’re doing with the 
data they’ve obtained,” he said. 

Andersen’s Bagot suggested that 
most institutions haven’t effectively 
dealt with the privacy issues that cross- 
divisional marketing 
can expose, particularly 
when campaigns are 
initiated through Inter- 
net access channels. 

“At the — initial 
point of contact, pri- 
vacy shouldn’t affect 
any cross-selling out- 
comes,” Bagot said, 
adding that “in push 
media initiatives [how- 
ever] institutional pri- 
vacy compliance can 
be compromised.” 

E.piphany’s Ciauri agreed that 
while, in principle, institutions should 
not be punished for enhancing customer 
profiles to deliver what customers are 
demanding - a better, more holistic 
experience — the privacy impacts of the 
strategies deployed to achieve this end 
could be called into question. 


Andrew Thornton, St. George 
Group Customer Management 
general manager 


“The waters get murky when 
you’re talking about new customer 
acquisitions and blasting out mass 
marketing initiatives across multiple 
access channels,” Ciauri explained. 

“The challenge for institutions is 
how can they communicate informa- 
tion gathering intentions to customers 
if they’re trying to identify non-prof- 
itable customers?” 

Either way, neither St George’s 
Thornton nor ANZ’s Nash anticipate 
an onslaught of customer requests for 
data disclosure come 21 December. 

“Naturally, St George expects there 
will be a certain amount of general 
inquiries from customers curious about 
the nature of the data we hold on them. 
But we’ ve tried to diffuse any potential 
blitz of inquiries by pro-actively dis- 
closing to customers in advance the 
kind of information we collect and the 
ways in which we manage that data,” 
Thornton boasted. 

Indeed, one can’t help but register a 
certain enthusiasm for the imminent 
legislation on Thornton’s part. 

“Organisations have 
tended to look at the pro- 
posed privacy protection 
principles in a negative 
light — which is a circum- 
stance of people’s fear to 
change tactics. Ironically 
enough though, one of 
the key demands for 
effective CRM remains 
an openness to change,” 
Thornton said. 

“Because the privacy 
principles force organi- 
sations to sit down and 
think long and hard about ways of 
approaching customers with relevant 
promotional information, the NPPs 
should be seen as an opportunity to 
enhance CRM strategies. 

“After all, if you think about it, 
economising your direct marketing 
efforts should then minimise your 
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mailout costs while increasing customer 
response rates,” Thornton reasoned. 

Naturally this sort of optimistic 
talk is music to the ears of consul- 
tants such as Bagot, who could 
be bombarded by calls from institu- 
tions wondering how they’ll drive 
privacy compliance-related risk out 
of their businesses. 

“What the privacy amendments 
will do is make institutions understand 
the importance of using customer data 
more efficiently. 

“Even though the legislation is still 
in draft form and is somewhat vague 
and ambiguous in its compliance 
recommendations, we are witnessing 
increasing levels of concern among 
institutions looking to ensure that their 
procedures are compliant,” Bagot said. 

“Organisations are worried that cus- 
tomer queries will increase, and they’ re 
increasingly concerned about abusing 
customer information and the impact 
this might have on their brands.” 

So come 21 December, will the 
much-lauded CRM strategies deployed 
by institutions buckle under the strain 
of customer queries and reservations 
about cross-selling campaigns? 

Ciauri and Thompson predict that 
institutions could be forced to fast-track 
their plans to provide an enterprise- 
wide, single view of their customers’ 
details in order to avoid sluggish 
response times. 

“If more and more people complain 
and institutions struggle to provide the 
requested information it could really 
test their understanding of what it 
means to have a single view of the 
customer approach,” Ciauri said. 


Katrina Clifford is a journalist and 
Cameron Tomes is the editor of 
Asia Pacific Banking Technology. 
They can be contacted at 
katrina.clifford@informa.com.au and 
cameron.tomes@informa.com.au. 


Supplement August 2001 


| 


Speed, accuracy, power ... 


it’s no wonder QuickAddress 
can also save money. 


> Enter addresses faster with up to 80% less 
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The CRM Market: 
Vendor Verification 


n a way, writing an article about 

vendors in customer relationship 

management is the trade press 
equivalent of trying to ascertain the 
length of a piece of string. 

At first pass it is difficult to determine 
exactly what comprises a CRM vendor. 
But for the purposes of this article, a 
CRM vendor is defined as being a 
provider of technology and _ solutions 
which the company uses to interact with 
their customers, and with which the 
company refines those interactions. 

Initially CRM applications were 
confined to sales force automation or 
call centre automation software, but 
have expanded to also include campaign 
management, workforce management, 
marketing, e-mail response, Web self- 
service, opportunity management, leads 


Customer Intelligenc 


acquisition, contact management and 
customer profiling — among others. 

The definition of the customer has 
changed as well, with organisations 
realising that they should also fine- 
tune their relationships with suppliers, 
partners and employees — other- 
wise known as extended relationship 
management (XRM). 

The Tier | CRM vendors would 
include such players as SAP, Siebel 
Systems, PeopleSoft/Vantive, Chor- 
diant, E.piphany and Oracle. These 
vendors have typically reached the 
Tier 1 space because of their longevity 
in the market, their market share, and 
their ability to adapt their business 
models, to continually develop their 
product offerings in order to remain 
relevant, and to attract and maintain 
implementation partners. 
(See Table on page 73 for 
selected CRM vendors.) 

In addition, Tier 1 CRM 
vendors who started out 
with one or two pieces of 
the package have steadily 
increased their capabilities 
through product develop- 
ment, acquisition or part- 
nership — and sometimes a 
combination of all three. 

We’ve also seen tele- 
communications equiment 
vendors such as Nortel, 
Alcatel and Ericsson, 
expand into CRM through 
acquisition (Nortel bought 
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Clarify, and Alcatel bought Genesys) 
and development (Ericsson). 

There will be a further shakeout of 
specialist CRM vendors, according to 
Meta Group program director, Applica- 
tion Delivery Strategies, Rod Hawken, 
given the quantity of vendors: “The 
mid-size guys will suffer the most. I 
don’t think they have the money to sur- 
vive, they can’t keep investing in the 
R&D and the marketing.” 

Tier 2 vendors include companies 
such as SalesLogix, Aspect, Onyx, 
NCR, StayinFront, Edify, SAS Insti- 
tute, Talisma, Epicor, Staffware and 
Frontrange — some of which are 
substantial entities, but just not quite 
as big or as long in the tooth as the 
Tier 1 companies. 

At the same time, smaller CRM ven- 
dors are entering the market, generally 
on a local basis, and targeting the small 
to medium enterprise. This reflects an 
increasingly competitive world in which 
even the SME is driven towards having 
to understand more about their cus- 
tomers so that they can compete equally 
with the large corporates and multina- 
tionals which have, in turn, deployed 
CRM systems so that they can provide 
the personalised customer service which 
was originally the SME differentiator! 

Such companies include ACT!, 
Goldmine, Multiactive Software and 
Next Systems. Their premise is that 


Continues on page 74 
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Company Name 


Aspect 


Avaya 


Cincom Systems 


Centrix 


Chordiant 


Delano 


DST International 


Edify 


E.piphany 


Epicor 


Frontrange 


IT Factory 


iTouch Australia 


Multiactive Software 


NCR Teradata 


Nortel Networks 


Onyx 


Oracle 


PeopleSoft 


Point Australia 


SAP 


SAS Institute 


Siebel Systems 


Staffware 


StayinFront 


Contact Details 


(02) 8923 1300 


(02) 9352 9000; or 
nmclennon@avaya.com 
(02) 9411 9300 


(08) 9481 0344; or 
info@centrix.com.au 
(03) 9607 1308 


(03) 9412 0332 

(02) 9235 1888 

(02) 9238 6862 

(02) 9492 1200; or 
http://www.epiphany.com 
1800 033 857; or 
http:/Awww.epicor.com 
(02) 8080 3300; or 
info@goldmine.com.au 
(02) 9266 2222 

(02) 9490 9600; or 
info@itouch.com.au. 
1800 800 610; or 
info@multiactive.com.au 
(02) 9964 8111 

1800 817 070 

(02) 9409 4300 

1300 366 386 


(02) 9413 0000 


(02) 9957 4860; or 


solutions@pointaustralia.com 


(02) 9935 4500 


(02) 9428 0428; or 
info@oz.sas.com 
(02) 9012 3100 


(02) 9458 2100; or 
http://www.staffware.com 
1800 855 276 


CRM Products 


Includes Contact Server, Customer 
Self-Service and Customer DataMart 
Avaya CRM 


Cincom Encompass, iC, ignitexP 
and iD Solutions 

Customer First and Market Manage 
Unified CRM and Marketing Director 
(formerly Prime@vantage) 

Delano Marketing Suite, Service 
Suite and the Delano Platform 

Hi Contact, Multi Channel 
Communications 

Edify Enterprise 

E.piphany E.5 

eCRM 

Goldmine 5.0 and FrontOffice 

IT Factory CRM for Notes/Domino 
iService, iSell and iDeliver 
Maximiser Enterprise V 6.0 
Teradata CRM (and 
Datawarehouse) 

Clarify CRM 

Onyx Enterprise 2001 

Oracle CRM (Part of 

e-Business Suite) 

PeopleSoft 8 CRM 

e-Point 

mySAP Customer Relationship 
Management 


SAS Release 8.2 


Includes Siebel .COM Applications, 


Call Centre, Field Sales and Services 


Staffware eCRM 


Visual Elk 8.1 
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Modules 


Skills-based routing, Web-collaboration, service and data mart 


Includes EContact Suite, Commitment Management 
(CRM Central and Advocate), among others 
Marketing and sales, customer service, contact centre 
and e-commerce 


Market Intelligence, Contact tracking and customer intelligence 
Customer Self-Service and Marketing Automation 

Customer service, marketing and analytics 

Knowledge Management, CRM, Sales Force Automation 
Virtual CSR (Speech Recognition), Sales, Service Automation 


Marketing (with Real-Time Personalisation and Campaign 
Management Apps), Enterprise Insight, Service and Sales 


Customer Support, Sales and Marketing and Remote Data Flow 
Sales, Marketing, Service and Support 

Sales and marketing, e-commerce and customer service 

CRM and Workforce Management via wireless devices 


Database capability, lead acquisition, opportunity management, 
customer profiling, team selling, e-mail management and reporting 
Analysis, Modelling, Communication, Optimisation 

and Personalisation 


eSupport, eResponseManager, eFrontOffice and eOrder 
Marketing, Sales, E-Service, Mobile and Business Intelligence 
Sales, Marketing and Service 


Sales, Marketing, HelpDesk, FieldService, Support and 
Interaction Management 


Marketing, sales and service and industry specific modules 
Operational, Analytical and Collaborative CRM 


Operational and Analytical CRM; Churn Management and 
Vertical Modules 

A number including eMarketing, eService, eMail Response, 
eBriefings and eContent Services and the Interactive Selling Suite 
Modules targeted at Vertical industries like insurance, financial 
services and telecommunications 

Sales, Marketing, Customer Support and 

Vertical Industry Applications 
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Vendor Overview 
Continued from page 72 


they can provide the same sorts of capabilities as the Tier 1 
and Tier 2 CRM vendors, but strip these capabilities down to 
those that are most relevant to the SME and provide the pack- 
age at a reasonable price. 


Thinning Channels 

On the technology side, the most significant developments 
in the last twelve months to two years, has been the expan- 
sion of channels to incorporate e-mail and Web capabilities 
— a development that gave rise to the term eCRM. Most 
vendors have either added these kinds of capabilities into 
their own product, or partnered with other companies in 
order to deliver solutions to their customers. 

In other instances, the vendors are rearchitecting their 
platforms to become J2EE or .Net architectures — simply 
because client-server applications are more expensive to run 
than thin client. 

The use of Internet technologies has also precipitated the 
offering of CRM as a hosted solution, but this is an emerging 
market as yet. 

Another emerging channel is wireless, but this has really 
only started in the areas of business intelligence and sales 
force automation. 


Choose Wisely 

So how does an organisation make a decision? Hawken 
says that if a company puts out a tender for a CRM imple- 
mentation, they should look at the financial viability of the 
respondents, how many clients they have, their successful 
implementations and when they last made a sale. 

It’s a tough call: do they install a complete offering from 
one vendor, for example, or are they better served by target- 
ing their business dollar. 

Despite this, WorldGroup Consulting’s Andy Zaple said 
that most established companies will probably be better 
served by the best of breed approach, while greenfields sites 
are probably better off taking on an end-to-end solution. 

But the fact is, with 2,000 CRM vendors (Source: 
Gartner Group) competing for your business, one of the 
biggest challenges companies will face is making sure 
they get the support they need — and getting that support 
makes a big difference to an organisation’s CRM imple- 
mentation, Zaple said. 

Pamela Clark-Dickson is the editor of CommsWorld and 
e-Access, and David Masters is a journalist at CommsWorld, 
e-Access and Systems Developer magazines. They can be 
contacted at pamela.clark-dickson@informa.com.au and 
david.masters@informa.com.au respectively. 
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InstallShield AdminStudio 2.0 NEW! 

= AdminStudio is designed specifically to meet the application pre-deploy- 
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interface for an easy-to-use, yet robust solution. Price TBA. 


InstallShield Express 3.5 NEW 

The fastest, easiest and most economical solution for devel- 
oping straightforward installations. Express lets you create 
genuine InstallShield installations in less than a day, using a 
visual installation checklist. Express fits any budget and can 
be upgraded to Developer. $658.90 inc GST. 


Whatever your installation requirements, 
InstallShield Resets the Standards in 
Installation Authoring and Repackaging. 


InstallShield MultiPlatform 4.0 

Robust installations for Solaris, Linux, AIX, 0S/2, 
0/S400 and Windows. Developers targeting 
multiple platforms can now leverage one 
InstallShield product to write a single installa- 
tion that will deploy on multiple platforms with 
tonsistent,end-user experience every time. 

_ $4884.00 inc GST. 
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| Aeronaut......where exceptional software and intelligent solutions come to life! 


_ Aeronaut provides developers with the total solution for InstallShield software: expert advice, product acquisition, 
_ training, consulting and support, Australia wide. We are the only certified InstallShield trainer in Australia. 


We stock a huge range of developer software from vendors including InstallShield, RoboHelp, Crystal Decisions, 
- ComponentOne, Microsoft MSDN, Compuware-Numega, Sybase, FMS, Data Dynamics, Clarion, Extended Systems, Intel 
_ Dialogic, Artisoft, Intel Parity and many more. 


| We have been servicing the developer market for over 14 years. What sets us apart is our ability to offer you the very 


| best advice, pricing, service, software supply, training, consulting and support. 
If we don’t have what you're looking for, we'll search the galaxy to find it for you. 


To Order Call 1800 356 525, email sales@aeronaut.com.au or fax 02 9436 1184 


integrated with Change Management integrated with Software Development integrated with Content Management integrated 


SuljSa] Wa}sAS YM 


integrated with System Testing 


Sao2eid 1S8Q YM pajeiSaqul 


integrated with Best Practices 


juaWdojarag alemyos YIM pajei8aqul 


integrated with Software Development 


asuey) pajeisaqul 


Rational Rose® is the #1 Java development 

and Visual Modeling tool. IDC names Rational Rose the 

market leader for the fifth year in a row.* Now you can control the 

synchronization between code and models. Choose the entire model or select 

model elements. Turn it on all the time or only when you want. Rational Rose is 

tailored for easy and efficient developer use. It packs the power to help you build 

better software, faster. Gain full life-cycle support for Java source code including J2SE™, J2EE™ 

and J2ME” platforms. Resilient and component-based architecture developed with Rational Rose 

substantially reduces application rewrites associated with code-only based s 

software development. Put Rational Rose on your team and gain the flexibility, Ration a r 

extensibility and compatibility that professional Java developers choose first. the e-development company™ 


integrated with Content Management 


Log-on to www.rational.com/australia/jdj for more 
4 READERS’ 4 SB information and a Java white paper and CD. 
AWARD) 


LyawarDd) 


System Definition 


» © 2001 Rational Software Corporation. Rational, the Rational logo, Rational the e-development company, Rational Rose are trademarks or registered trademarks of Rational Software 
Corporation in the United States and other countries. J2SE, J2EE, J2ME, Java and all Java-based trademarks and logos, among others, are trademarks or registered trademarks of 
Sun Microsystems, Inc. in the U.S. and/or other countries. 


*IDC‘Report 22438: Application Design and Construction Tools Forecast and Analysis, 2000-2004. 


